Ande Loader Malware

The cyber threat actor identified as Blind Eagle has been observed employing a loader malware named Ande Loader to distribute Remote Access Trojans (RATs) such as the Remcos RAT and NJ RAT. These attacks, executed through phishing emails, specifically targeted Spanish-speaking individuals in the manufacturing sector located in North America.

Blind Eagle, also known as APT-C-36, is a financially driven threat actor with a track record of conducting cyber assaults against organizations in Colombia and Ecuador. Their modus operandi involves deploying various RATs, including AsyncRAT, BitRAT, the Lime RAT, NjRAT, the Remcos RAT and the Quasar RAT.

The Ande Loader Malware Is Delivered via Several Infection Chains

The expansion of the threat actor's targeting scope is evident in the Ande Loader attack operation, which employs phishing-laden RAR and BZ2 archives to initiate the infection process.

The RAR archives, protected with passwords, contain a malicious Visual Basic Script (VBScript) file responsible for establishing persistence in the Windows Startup folder. This file also triggers the execution of the Ande Loader, which subsequently loads the Remcos RAT payload.

In an alternate attack scenario observed by cybersecurity researchers, a BZ2 archive housing a VBScript file is disseminated through a Discord content delivery network (CDN) link. In this instance, the Ande Loader malware drops NjRAT instead of the Remcos RAT.

The Blind Eagle threat actor has been utilizing crypters crafted by Roda and Pjoao1578. Notably, one of Roda's crypters features a hardcoded server hosting both injector components of the crypter and additional malware utilized in the Blind Eagle campaign.

RAT Infections Can Have Devastating Consequences

RATs are threatening software programs designed to provide unauthorized access and control over a victim's computer or network. These infections can have devastating consequences for victims due to several reasons:

• Unauthorized Access: RATs grant attackers remote control over infected systems, allowing them to execute commands, access files, view the screen and even control peripherals like cameras and microphones. This level of access can compromise sensitive information, including personal data, financial records, intellectual property and credentials.
•  Data Theft and Espionage: With access to the victim's system, attackers can collect valuable data such as business plans, proprietary algorithms, customer databases, or personal information. This collected data can be exploited for financial gain, industrial espionage, or identity theft.
•  System Manipulation: RATs enable attackers to manipulate the victim's system in various ways, including installing additional malware, modifying or deleting files, altering system configurations or disrupting critical services. Such manipulations can lead to system instability, data corruption, or loss of functionality.
•  Surveillance and Monitoring: RATs often include features for covert surveillance and monitoring, allowing attackers to eavesdrop on conversations, capture keystrokes, record screen activity, or access webcam feeds. This invasion of privacy can have significant psychological impacts on victims and can be particularly devastating in cases of personal or sensitive communications.
•  Propagation and Network Compromise: RAT infections can serve as entry points for further network infiltration and propagation of malware within an organization's infrastructure. Attackers can use compromised systems as footholds to pivot into more secure network segments, escalate privileges, and launch additional attacks, potentially causing widespread damage and disruption.
•  Financial Loss and Legal Consequences: Victims of RAT infections may suffer financial losses due to theft, extortion or fraud perpetrated by attackers. Additionally, organizations may incur significant costs related to incident response, remediation, legal fees, regulatory fines and damage to reputation and customer trust.

Overall, RAT infections pose a serious threat to individuals, businesses, and institutions, with potential consequences ranging from financial losses and reputational damage to legal liabilities and national security risks. It underscores the importance of robust cybersecurity measures, including regular software updates, network monitoring, user education and the deployment of advanced threat detection and mitigation technologies.