Threat Research

Malware Analysis: Blind Eagle’s North American Journey

Securonix

Blind Eagle campaigns leverage Ande Loader to deliver RemcosRAT and NjRAT, backed by crypters from Roda and Pjoao1578, with hardcoded servers hosting injectors and additional malware. The actor group has targeted Spanish-speaking manufacturing companies in North America using phishing and persistent startup mechanisms, while evolving loader and crypting tools like UpCrypter and FuckCrypt. Hashtags: #AndeLoader #BlindEagle #RemcosRAT #NjRAT #Pjoao1578

Keypoints

  • Ande Loader is used to drop final payloads RemcosRAT and NjRAT in the Blind Eagle operation.
  • Cyrpters by Roda and Pjoao1578 are employed, with one loader’s server hosting injector components and other malware.
  • Case Two distributes the BZ2 archive via Discord CDN, while Case One uses password-protected archives and a VBS-based chain for persistence.
  • Persistence is achieved through Registry Run Keys and Startup Folder as well as startup shortcuts and scheduled tasks.
  • Ande Loader executes via obfuscated PowerShell, Base64 decoding, and a process injection chain culminating in RemcosRAT (and NjRAT in some variants).
  • eSentire TRU recommends global threat hunts, ML-based detections (BlueSteel), and retroactive threat hunts to mitigate Blind Eagle.

MITRE Techniques

  • [T1566] Phishing – The campaign uses phishing emails to lure victims into downloading a password-protected archive. “Blind Eagle is delivered via a phishing email containing the link to retrieve the password-protected archive.”
  • [T1204.002] Malicious File – The user launches the malicious VBS file, triggering the chain that leads to payload execution.
  • [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – “Persistence is achieved via the Registry Run Keys / Startup folder.”
  • [T1059.001] Command and Scripting Interpreter: PowerShell – The VBS script spawns PowerShell to execute Ande Loader.
  • [T1055.012] Process Hollowing – Blind Eagle uses process hollowing to inject the final payload, leveraging various APIs to hollow out and execute inside another process.

Indicators of Compromise

  • [File Hash] Ande Loader – 48b6064beec687fc110145cf7a19640d, b8f878d1ee6a118f9eee4cf111193f53, and 2 more hashes
  • [File Hash] Ande Loader – 4c30ea433832fb13b5d7637d3b13bead, 2a59f2a51b96d9364e10182a063d9bec
  • [Domain] C2 (RemcosRAT) – rxms.duckdns[.]org:57832
  • [Domain] C2 (NjRAT) – njnjnjs[.]duckdns.org
  • [IP] C2 (opendir) – 91.213.50[.]74
  • [File Name] RemcosRAT – RemcosRAT
  • [File Name] NjRAT – NjRAT

Read more: https://www.esentire.com/blog/blind-eagles-north-american-journey