Researchers have discovered a new multi-stage attack chain conducted by the Blind Eagle cyberespionage group that leads to the deployment of NjRAT on infected systems.
In the latest attack campaign, Blind Eagle leverages social engineering, custom malware, and spear-phishing attacks.
The VBScript code runs the batch file, which is then deobfuscated to execute the previously delivered PowerShell script. Finally, the PowerShell script is utilized to launch NjRAT, which allows the attacker to take control of the compromised system through a user interface.
Blind Eagle or APT-C-36 is believed to be a Spanish-speaking group that primarily targets private and public sector entities in Colombia. However, the group’s attacks have also been observed in Ecuador, Chile, and Spain.
The threat actors impersonated a Colombian government tax agency to target key sectors.
Blind Eagle’s modus operandi has remained the same since its emergence, which indicates that it is comfortable conducting spear-phishing campaigns as they continue to hit the target. Therefore, upgrade your security posture to stay safe. Moreover, training employees on how to detect phishing emails is much recommended.
This research was documented by researchers from ThreatMon