An active campaign to distribute NjRAT (also known as Bladabindi) using Middle Eastern geopolitical-themed lures has found victims of the infection in the Middle East and North Africa.
The campaign, which has been ongoing since at least mid-2022, was spotted by cybersecurity researchers. trend microcalled the threat “Earthbogle”.
Researchers Peter Girnus and Aliakbar Zahravi created an advisory today (Tuesday) stating that the attackers behind Earth Bogle used public cloud storage services to host their malware, while distributing NjRAT. said it was done through a compromised web server.
According to the researchers, the lure file behind the campaign “had a very low detection rate on Virus Total.” This allowed the attacker to go undetected and spread the attack even further.
“The group behind the campaign used public cloud hosting services to host malicious CAB files and used themed lures to trick Arabic speakers into opening the infected files. ,” explained Girnus and Zahravi.
After downloading and opening the lure file, the victim’s machine is infected with a second stage dropper, which is a PowerShell script with various functions.This file will eventually give you the final her powershell dropper responsible for loading NjRAT Binary in memory.
The dropper also adds specific directories to the startup key to achieve persistence on infected systems.
“The final payload of this campaign is NjRAT, which allows attackers to steal sensitive information, take screenshots, take reverse shells, manipulate processes, registry and files, upload/download files, execute infected It can perform a myriad of intrusive activities on the system and other operations,” reads the Trend Micro advisory.
To protect themselves from this and similar attacks, Girnus and Zahravi warn organizations to stay vigilant against phishing attacks and be skeptical of sensational topics and themes used as decoys online. Did.
“Users should be careful about opening suspicious archive files such as CAB files, especially those from public sources where the risk of compromise is high,” the team explains. “Security teams need to be aware of the dynamic nature of conflict zones when considering their security posture.”
The Earth Bogle advisory comes a few weeks after Orange Cyberdefense (OCD) data showed cyber extortion. growing exponentially in Africa, Middle East and China.
