Earth Bogle Group Targets Middle East With NjRAT, Geopolitical Lures

Written by

An active campaign using Middle Eastern geopolitical-themed lures to distribute NjRAT (also known as Bladabindi) has been spotted infecting victims across the Middle East and North Africa.

Ongoing since at least mid-2022, the campaign was discovered by cybersecurity researchers at Trend Micro, who dubbed the threat "Earth Bogle."

Writing in an advisory earlier today (Tuesday), researchers Peter Girnus and Aliakbar Zahravi said the threat actors behind Earth Bogle used public cloud storage services to host malware, but the NjRAT distribution was done via compromised web servers.

According to the researchers, the lure files behind the campaign had “exceptionally low detection rates on Virus Total.” This, in turn, allowed the attackers to remain undetected and spread their attacks further.

“The group behind the campaign uses public cloud hosting services to host malicious CAB files and uses themed lures to entice Arabic speakers into opening the infected file,” Girnus and Zahravi explained.

After downloading the lure file and opening it, victims’ machines are infected with a second-stage dropper, a PowerShell script with various functionalities. This file eventually delivers the final PowerShell dropper responsible for loading the NjRAT binary into memory.

The dropper also achieves persistence on an infected system by adding a specific directory to the startup key.

“The final payload of this campaign is NjRAT, allowing attackers to conduct a myriad of intrusive activities on infected systems such as stealing sensitive information, taking screenshots, getting a reverse shell, process, registry and file manipulation, uploading/downloading files, and performing other operations,” reads the Trend Micro advisory.

To defend against this and similar attacks, Girnus and Zahravi warned organizations to remain vigilant against phishing attacks and skeptical about sensational topics and themes used as lures online.

“Users should be wary of opening suspicious archive files such as CAB files, especially from public sources where the risks of compromise are high,” the team explained. “Security teams should be aware of the dynamic nature of conflict zones when considering a security posture.”

The Earth Bogle advisory comes weeks after data from Orange Cyberdefense (OCD) showed that cyber extortion is growing exponentially in Africa, the Middle East and China.

What’s hot on Infosecurity Magazine?