Ande Loader Malware Spreads Using Phishing
The threat actor Blind Eagle has been observed employing a loader malware named Ande Loader to distribute remote access trojans (RATs) such as Remcos RAT and NjRAT. These attacks, initiated through phishing emails, were specifically aimed at Spanish-speaking individuals within the manufacturing sector located in North America, according to reports from eSentire.
Blind Eagle, also known as APT-C-36, is a financially motivated threat actor with a track record of conducting cyber attacks against targets in Colombia and Ecuador, delivering various RATs including AsyncRAT, BitRAT, Lime RAT, NjRAT, Remcos RAT, and Quasar RAT. The recent findings indicate an expansion in the threat actor's targeting strategy, utilizing phishing tactics with RAR and BZ2 archives to initiate the infection process.
Ande Loader Method of Infiltration
The RAR archives, protected by passwords, contain a malicious Visual Basic Script (VBScript) file responsible for establishing persistence in the Windows Startup folder and initiating the Ande Loader, which then loads the Remcos RAT payload. Alternatively, in another observed attack method, a BZ2 archive containing a VBScript file is distributed through a Discord content delivery network (CDN) link, with Ande Loader dropping NjRAT instead of Remcos RAT.
eSentire noted that Blind Eagle has been utilizing crypters developed by individuals known as Roda and Pjoao1578. One of Roda's crypters contains a hardcoded server hosting both injector components of the crypter and additional malware used in the Blind Eagle campaign.
These developments coincide with SonicWall's disclosure of another loader malware family called DBatLoader, which exploits a legitimate-but-vulnerable driver associated with RogueKiller AntiMalware software (truesight.sys) to disable security solutions in a Bring Your Own Vulnerable Driver (BYOVD) attack, ultimately delivering Remcos RAT.