Threat actors may be using platforms such as Discord, Facebook, OneDrive, and others to spread the NjRAT, believe Trend Micro researchers.
Trend Micro researchers have discovered a currently active campaign dubbed Earth Bogle, in which threat actors are distributing NjRAT (aka Bladabindi). Their targets are victims in the Middle East and North Africa.
According to Trend Micro’s research, the attackers are luring users through geopolitical-themed scams to deliver the notorious NjRAT or Bladabindi malware. The victims of this campaign are mainly located in the Middle East and Africa.
According to Trend Micro researchers Peter Girnus and Aliakbar Zahravi, the attackers use public cloud storage services like files.fm and failiem.lv for hosting malware distributed through compromised web servers. Reportedly, the campaign has been active since mid-2022.
How Does the Attack Work?
The threat actors use a malicious document hidden inside the Microsoft CAB (Cabinet) archive is masqueraded as a sensitive audio file. The title of this file is created cunningly to represent some geopolitical theme so that the targets feel compelled to open it. For instance, one of the files had this title: “A voice call between Omar, the reviewer of the command of Tariq bin Ziyad’s force, with an Emirati officer.cab.”
The malicious file is distributed on social media platforms like Discord and Facebook or sharing platforms such as OneDrive. It is also delivered via phishing emails.
The CAB file has an obfuscated Virtual Basic Script (VBS) dropper that executes the attack’s next step. After the CAB file is downloaded, the VBS script fetches the malware from a compromised or spoofed host and retrieves a PowerShell script that injects NRAT into the victim’s device.
In their blog post, researchers noted that the lure files used in the Earth Bogle campaign’s detection rates on Virus Total were surprisingly low, which allowed the attackers to stay undetected and the campaign to stay active. The dropper maintains persistence on the compromised system by the addition of a specific directory to the startup key.
What is NjRAT?
NjRAT is a remote access trojan malware that was first detected in 2013. The malware was used to gain unauthorized control/access to infected computers. So far, it has been used in cyberattacks targeting Middle Eastern users and organizations.
To prevent infection, cloud infrastructure users and operators must augment their systems’ security.
“Users should be wary of opening suspicious archive files such as CAB files, especially from public sources where the risks of compromise are high. Security teams should be aware of the dynamic nature of conflict zones when considering a security posture,” researchers noted.