The Colombian insurance coverage sector is the goal of a menace actor tracked as Blind Eagle with the top purpose of delivering a personalized model of a identified commodity distant entry trojan (RAT) generally known as Quasar RAT since June 2024.
“Attacks have originated with phishing emails impersonating the Colombian tax authority,” Zscaler ThreatLabz researcher Gaetano Pellegrino mentioned in a brand new evaluation revealed final week.
The superior persistent menace (APT), additionally identified as AguilaCiega, APT-C-36, and APT-Q-98, has a observe report of specializing in organizations and people in South America, significantly associated to the federal government and finance sectors in Colombia and Ecuador.
The assault chains, as not too long ago documented by Kaspersky, originate with phishing emails that entice recipients into clicking on malicious hyperlinks that function the launchpad for the an infection course of.
The hyperlinks, both embedded inside a PDF attachment or straight within the electronic mail physique, level to ZIP archives hosted on a Google Drive folder related to a compromised account that belongs to a regional authorities group in Colombia.
“The lure used by Blind Eagle involved sending a notification to the victim, claiming to be a seizure order due to outstanding tax payments,” Pellegrino famous. “This is intended to create a sense of urgency and pressure the victim into taking immediate action.”
The archive accommodates inside it a Quasar RAT variant dubbed BlotchyQuasar, which packs in extra layers of obfuscation utilizing instruments like DeepSea or ConfuserEx to hinder evaluation and reverse engineering efforts. It was beforehand detailed by IBM X-Power in July 2023.
The malware contains capabilities to log keystrokes, execute shell instructions, steal knowledge from net browsers and FTP shoppers, and monitor a sufferer’s interactions with particular banking and fee companies situated in Colombia and Ecuador.
It additionally leverages Pastebin as a dead-drop resolver to fetch the command-and-control (C2) area, with the menace actor leveraging Dynamic DNS (DDNS) companies to host the C2 area.
“Blind Eagle typically shields its infrastructure behind a combination of VPN nodes and compromised routers, primarily located in Colombia,” Pellegrino mentioned. “This attack demonstrates the continued use of this strategy.”
