Ande Loader Malware Targets Manufacturing Sector

The threat actor known as Blind Eagle, also identified as APT-C-36, has been observed using a loader malware named Ande Loader to distribute remote access trojans (RATs) like Remcos RAT and NjRAT. These attacks, delivered via phishing emails, specifically targeted Spanish-speaking users in the manufacturing industry based in North America.

Blind Eagle, a financially motivated threat actor, has a history of targeting entities in Colombia and Ecuador with cyber attacks to distribute various RATs, including AsyncRAT, BitRAT, Lime RAT, NjRAT, Remcos RAT, and Quasar RAT.

The recent findings indicate an expansion of Blind Eagle’s targeting scope, with the threat actor now using phishing emails containing RAR and BZ2 archives to initiate the infection chain.

The RAR archives, protected by a password, contain a malicious Visual Basic Script (VBScript) file that establishes persistence in the Windows Startup folder and executes the Ande Loader, which then loads the Remcos RAT payload.

In a different attack sequence observed by eSentire, a BZ2 archive containing a VBScript file is distributed via a Discord content delivery network (CDN) link. In this case, the Ande Loader malware drops NjRAT instead of Remcos RAT.

The researcher also noted that Blind Eagle has been using crypters developed by Roda and Pjoao1578. One of Roda’s crypters includes a hardcoded server hosting both injector components of the crypter and additional malware used in the Blind Eagle campaign.

Meanwhile, the researcher recently highlighted the workings of another loader malware family, DBatLoader, which uses a legitimate-but-vulnerable driver associated with RogueKiller AntiMalware software (truesight.sys) to disable security solutions as part of a Bring Your Own Vulnerable Driver (BYOVD) attack, ultimately delivering Remcos RAT.

The malware is typically delivered inside an archive as an email attachment and is highly obfuscated, containing multiple layers of encryption data.

To defend against attacks by Blind Eagle using Ande Loader to deliver RATs, it’s essential to implement strong security practices. Educate employees about phishing tactics and encourage them to exercise caution when opening email attachments or clicking on links. Use a reputable antivirus program and keep it updated to detect and remove malicious software. Regularly back up important data and store backups offline to prevent loss in case of a successful attack.