While threat hunting, TREND Micro found an active campaign using Middle Eastern geopolitical themes as a lure to target potential victims in the Middle East and Africa. In this campaign they have labeled Earth Bogle, the threat actor uses public cloud storage services such as files.fm and failiem.lv to host malware, while compromised web servers distribute NjRAT.
NjRAT (also known as Bladabindi) is a remote access trojan (RAT) malware first discovered in 2013. It is primarily used to gain unauthorized access and control over infected computers and has been used in various cyberattacks to target individuals and organizations in the Middle East. Users and security teams are recommended to keep their systems’ security solutions updated and their respective cloud infrastructures properly secured to defend against this threat.
Use of Middle Eastern Geopolitical Themes as Lures
One of the malicious CAB files’ filename translates to “A voice call between Omar, the reviewer of the command of Tariq bin Ziyad’s force, with an Emirati officer.cab”. The attacker uses the lure of a supposedly sensitive voice call between an Emirati military officer and a member of the Tariq bin Ziyad (TBZ) Militia, a powerful Libyan faction.
The file lures victims in the region into opening the file by insinuating a false link between the UAE and a group associated with war crimes, appealing to political interests and emotional appeals. These lures are consistent with a campaign disclosed in December 2022 that used Facebook advertisements on spoofed Middle Eastern news outlets’ pages, which were shared and pushed to other users by unsuspecting mules.