The Colombian insurance coverage sector is the goal of a risk actor tracked as Blind Eagle with the tip objective of delivering a personalized model of a recognized commodity distant entry trojan (RAT) referred to as Quasar RAT since June 2024.
“Assaults have originated with phishing emails impersonating the Colombian tax authority,” Zscaler ThreatLabz researcher Gaetano Pellegrino mentioned in a brand new evaluation revealed final week.
The superior persistent risk (APT), additionally recognized as AguilaCiega, APT-C-36, and APT-Q-98, has a observe file of specializing in organizations and people in South America, notably associated to the federal government and finance sectors in Colombia and Ecuador.
The assault chains, as lately documented by Kaspersky, originate with phishing emails that entice recipients into clicking on malicious hyperlinks that function the launchpad for the an infection course of.
The hyperlinks, both embedded inside a PDF attachment or immediately within the electronic mail physique, level to ZIP archives hosted on a Google Drive folder related to a compromised account that belongs to a regional authorities group in Colombia.
“The lure utilized by Blind Eagle concerned sending a notification to the sufferer, claiming to be a seizure order because of excellent tax funds,” Pellegrino famous. “That is meant to create a way of urgency and stress the sufferer into taking quick motion.”
The archive accommodates inside it a Quasar RAT variant dubbed BlotchyQuasar, which packs in extra layers of obfuscation utilizing instruments like DeepSea or ConfuserEx to hinder evaluation and reverse engineering efforts. It was beforehand detailed by IBM X-Power in July 2023.
The malware contains capabilities to log keystrokes, execute shell instructions, steal knowledge from internet browsers and FTP purchasers, and monitor a sufferer’s interactions with particular banking and fee providers positioned in Colombia and Ecuador.
It additionally leverages Pastebin as a dead-drop resolver to fetch the command-and-control (C2) area, with the risk actor leveraging Dynamic DNS (DDNS) providers to host the C2 area.
“Blind Eagle sometimes shields its infrastructure behind a mix of VPN nodes and compromised routers, primarily positioned in Colombia,” Pellegrino mentioned. “This assault demonstrates the continued use of this technique.”
