Ande Loader Malware Targets Manufacturing Sector in North America

Blind Eagle, also known as APT-C-36, has been observed utilizing a loader malware named Ande Loader to distribute remote access trojans (RATs) like Remcos RAT and NjRAT. The attacks primarily target Spanish-speaking users in the manufacturing industry based in North America. These malicious activities are executed through phishing emails containing RAR and BZ2 archives, serving as the initial vectors of infection. The archives are password-protected and contain Visual Basic Script (VBScript) files, responsible for establishing persistence and launching Ande Loader. Once executed, Ande Loader facilitates the deployment of RAT payloads.

Notably, Blind Eagle employs crypters developed by individuals known as Roda and Pjoao1578 to obfuscate their malware, adding layers of complexity to their malicious activities. Additionally, an alternative attack sequence observed by cybersecurity firm eSentire involves the distribution of a BZ2 archive via a Discord content delivery network link, resulting in the deployment of NjRAT instead of Remcos RAT.

Security Officer Comments:
Meanwhile, SonicWall has uncovered details about another loader malware called DBatLoader, which exploits a vulnerable driver associated with RogueKiller AntiMalware software to disable security solutions and deliver Remcos RAT. The malware, often concealed within highly obfuscated email attachments, poses significant challenges for detection and mitigation.

Suggested Corrections:
Researchers recommend implementing the following controls to help secure your organization against Blind Eagle:

  • Confirm that all devices are protected with Endpoint Detection and Response (EDR) solutions.
  • Implement a Phishing and Security Awareness Training (PSAT) program that educates and informs your employees on emerging threats in the threat landscape.

While the TTPs used by threat actor(s) grow in sophistication, they lead to a certain level of difficulties at which critical business decisions must be made. Preventing the various attack technique and tactics utilized by the modern threat actor requires actively monitoring the threat landscape, developing and deploying endpoint detections, and the ability to investigate logs & network data during active intrusions.