The Colombian insurance coverage sector is the goal of a risk actor tracked as Blind Eagle with the top aim of delivering a custom-made model of a recognized commodity distant entry trojan (RAT) often called Quasar RAT since June 2024.
“Assaults have originated with phishing emails impersonating the Colombian tax authority,” Zscaler ThreatLabz researcher Gaetano Pellegrino stated in a brand new evaluation revealed final week.
The superior persistent risk (APT), additionally recognized as AguilaCiega, APT-C-36, and APT-Q-98, has a observe document of specializing in organizations and people in South America, notably associated to the federal government and finance sectors in Colombia and Ecuador.
The assault chains, as just lately documented by Kaspersky, originate with phishing emails that entice recipients into clicking on malicious hyperlinks that function the launchpad for the an infection course of.
The hyperlinks, both embedded inside a PDF attachment or immediately within the e-mail physique, level to ZIP archives hosted on a Google Drive folder related to a compromised account that belongs to a regional authorities group in Colombia.
“The lure utilized by Blind Eagle concerned sending a notification to the sufferer, claiming to be a seizure order because of excellent tax funds,” Pellegrino famous. “That is meant to create a way of urgency and stress the sufferer into taking quick motion.”
The archive incorporates inside it a Quasar RAT variant dubbed BlotchyQuasar, which packs in further layers of obfuscation utilizing instruments like DeepSea or ConfuserEx to hinder evaluation and reverse engineering efforts. It was beforehand detailed by IBM X-Pressure in July 2023.
The malware contains capabilities to log keystrokes, execute shell instructions, steal information from internet browsers and FTP shoppers, and monitor a sufferer’s interactions with particular banking and fee companies positioned in Colombia and Ecuador.
It additionally leverages Pastebin as a dead-drop resolver to fetch the command-and-control (C2) area, with the risk actor leveraging Dynamic DNS (DDNS) companies to host the C2 area.
“Blind Eagle usually shields its infrastructure behind a mixture of VPN nodes and compromised routers, primarily positioned in Colombia,” Pellegrino stated. “This assault demonstrates the continued use of this technique.”