Ande Loader Malware Spreads Using Phishing

The threat actor Blind Eagle has been observed employing a loader malware named Ande Loader to distribute remote access trojans (RATs) such as Remcos RAT and NjRAT. These attacks, initiated through phishing emails, were specifically aimed at Spanish-speaking individuals within the manufacturing sector located in North America, according to reports from eSentire.

Blind Eagle, also known as APT-C-36, is a financially motivated threat actor with a track record of conducting cyber attacks against targets in Colombia and Ecuador, delivering various RATs including AsyncRAT, BitRAT, Lime RAT, NjRAT, Remcos RAT, and Quasar RAT. The recent findings indicate an expansion in the threat actor's targeting strategy, utilizing phishing tactics with RAR and BZ2 archives to initiate the infection process.

Ande Loader Method of Infiltration

The RAR archives, protected by passwords, contain a malicious Visual Basic Script (VBScript) file responsible for establishing persistence in the Windows Startup folder and initiating the Ande Loader, which then loads the Remcos RAT payload. Alternatively, in another observed attack method, a BZ2 archive containing a VBScript file is distributed through a Discord content delivery network (CDN) link, with Ande Loader dropping NjRAT instead of Remcos RAT.

eSentire noted that Blind Eagle has been utilizing crypters developed by individuals known as Roda and Pjoao1578. One of Roda's crypters contains a hardcoded server hosting both injector components of the crypter and additional malware used in the Blind Eagle campaign.

These developments coincide with SonicWall's disclosure of another loader malware family called DBatLoader, which exploits a legitimate-but-vulnerable driver associated with RogueKiller AntiMalware software (truesight.sys) to disable security solutions in a Bring Your Own Vulnerable Driver (BYOVD) attack, ultimately delivering Remcos RAT.

By Zaib
March 14, 2024
Computer Security
English
March 14, 2024
Computer Security

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

4 years ago

Softcnapp Potentially Unwanted Application

1 month ago

Trojan Al11 Malware Detection & Removal - An Essential...

12 months ago

Pinaview is a Fully-Featured Adware App

11 months ago

'American Express - Update Your Account Information' Email Scam

7 months ago

"Your iCloud is Being Hacked" and "Your iPhone has Been...

8 months ago

Related Posts

Computer Security

VexTrio Malicious Network Spreads Malware

Researchers have discovered that over 70,000 apparently legitimate websites have been taken over and incorporated into a network, known as VexTrio, utilized by criminals for distributing malware, deploying phishing... Read more

February 12, 2024
Malware

Phishing Email Documents Deliver the MetaStealer Malware

MetaStealer Malware is a dangerous threat, which is being distributed through fake phishing emails that contain malicious attachments. The attached files might look like documents and archives but, in reality, they... Read more

April 7, 2022
Malware

NullMixer Malware Loader Delivers Malicious Files in Bulk

NullMixer is a newly discovered piece of malware that acts as a downloader for a number of other malicious files. Security researchers examining NullMixer found it distributed primarily through websites that offer... Read more

September 29, 2022
English
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Backup Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Backup's Terms of Service Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2024 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.