Colombia’s insurance sector has become the target of a threat that is being tracked Blind eagle with the ultimate goal of delivering a customized version of a known commercial remote access trojan (RAT) known as the Quasar RAT from June 2024.
“The attacks came from phishing emails impersonating the Colombian tax authority,” Gaetano Pellegrino, researcher at Zscaler ThreatLabz said in a new analysis published last week.
Also Advanced Persistent Threat (APT). of course as AguilaCiega, APT-C-36 and APT-Q-98, has a track record of targeting organizations and individuals in South America, particularly related to the public and financial sectors in Colombia and Ecuador.
Attack chains like recently documented from Kaspersky, originate from phishing emails that encourage recipients to click on malicious links that serve as a launching pad for the infection process.
Links embedded in a PDF attachment or directly in the body of an email point to ZIP archives located in a Google Drive folder associated with a compromised account belonging to a regional government organization in Colombia.
“The bait used by Blind Eagle involved sending the victim a notice that purported to be a forfeiture order due to unpaid taxes,” Pellegrino noted. “It’s meant to create a sense of urgency and force the victim to take immediate action.”
The archive contains a variant of the Quasar RAT called BlotchyQuasar, which contains additional layers of obfuscation using tools such as DeepSea or ConfuserEx to hinder analysis and reverse engineering. It was previously detailed by IBM X-Force in July 2023.
The malware includes the ability to log keystrokes, execute shell commands, steal data from web browsers and FTP clients, and monitor the victim’s interactions with certain banking and payment services located in Colombia and Ecuador.
It also uses Pastebin as a continuous resolver to obtain the Command and Control (C2) domain, with the threat actor using Dynamic DNS Services (DDNS) to locate the C2 domain.
“Blind Eagle typically protects its infrastructure behind a combination of VPN nodes and compromised routers, mostly located in Colombia,” Pellegrino said. “This attack demonstrates the continued use of this strategy.”