BlindEagle Targets Colombian Insurance Sector with BlotchyQuasar RAT
A resurgence of activity by BlindEagle, a South American-focused APT actor, also known as APT-C-36. BlindEagle has a history of targeting individuals and organizations, particularly within the government and financial sectors of Colombia and Ecuador.
Introduction
On September 5 2024, Zscaler’s ThreatLabz reported a resurgence of activity by BlindEagle, a South American-focused advanced persistent threat (APT) actor, also known as APT-C-36 or AguilaCiega. BlindEagle has a history of targeting individuals and organizations, particularly within the government and financial sectors of Colombia and Ecuador. In this recent campaign, BlindEagle directed its efforts towards the Colombian insurance sector, deploying a heavily obfuscated variant of the Quasar RAT, dubbed BlotchyQuasar, to steal sensitive payment-related data.
Report Overview
BlindEagle’s activities were initially detected in June 2024 when phishing emails, impersonating Colombia's tax authority, Dirección de Impuestos y Aduanas Nacionales (DIAN), were sent to employees in the Colombian insurance sector. The emails falsely claimed that the recipients were subject to seizure orders due to unpaid taxes. This social engineering technique, designed to invoke urgency, is characteristic of BlindEagle’s operations.
The phishing attack chain begins with a malicious email that includes a PDF attachment and a download URL leading to a password-protected ZIP archive. The ZIP archive is hosted on a Google Drive folder associated with a compromised Colombian government account. Within the ZIP archive, victims find an executable file: BlotchyQuasar RAT.
BlotchyQuasar is a heavily obfuscated Remote Access Trojan (RAT) based on QuasarRAT, with multi-layer encryption and custom XOR-based algorithms used to conceal its payload. Once executed, the RAT decrypts its command-and-control (C2) domain from a Pastebin link. BlotchyQuasar is equipped with keylogging capabilities, window monitoring, and the ability to steal credentials from browsers like Chrome, Firefox, and FileZilla FTP client.
The BlotchyQuasar malware enables BlindEagle to monitor and log interactions with specific financial services, primarily targeting users in Colombia’s banking sector. By logging keystrokes and stealing credentials, the RAT allows attackers to potentially drain accounts or compromise sensitive financial information. The RAT’s ability to establish persistent C2 communication, exfiltrate data, and its use of dynamic DNS services for infrastructure make it a persistent threat to organizations and individuals in Colombia’s insurance and financial industries.
Insights and Analysis
Zscaler’s ThreatLabz analysis highlights the obfuscation techniques used to make BlotchyQuasar challenging to detect and analyze. The C2 domain, decrypted using 3DES encryption from a Pastebin link, allows BlindEagle to dynamically control their malware operations and adjust targets as needed. The targeting of Colombian and Ecuadorian financial institutions strongly suggests a focused campaign aimed at gaining illicit access to payment systems and financial accounts.
This BlindEagle campaign demonstrates the increasing sophistication of phishing attacks aimed at financial sectors in South America. Organizations must remain vigilant against such threats by ensuring robust email filtering, employee education, and implementing multi-factor authentication to mitigate the risk of credential theft.
Indicators of Compromise (IOCs)
| Indicator | Type | Description |
|---|---|---|
| b83f6c57aa04dab955fadcef6e1f4139 | MD5 | Hash of BlotchyQuasar sample |
| ec2dd6753e42f0e0b173a98f074aa41d2640390c163ae77999eb6c10ff7e2ebd | SHA256 | Hash of BlotchyQuasar sample |
| edificiobaldeares.linkpc[.]net | Domain | BlotchyQuasar C2 domain |
| equipo.linkpc[.]net | Domain | Additional BlotchyQuasar C2 domain |
| perfect5.publicvm[.]com | Domain | Additional BlotchyQuasar C2 domain |
| perfect8.publicvm[.]com | Domain | Additional BlotchyQuasar C2 domain |
MITRE ATT&CK Techniques
| Tactic | Technique | ID | Description |
|---|---|---|---|
| Initial Access | Phishing: Spearphishing Link | T1566.002 | BlindEagle sent phishing emails with malicious links to gain initial access |
| Execution | User Execution: Malicious File | T1204.002 | Victims manually executed the BlotchyQuasar sample from the ZIP archive |
| Execution | User Execution: Malicious Link | T1204.001 | Victims clicked on the malicious link included in the phishing email |
| Persistence | Boot or Logon Autostart Execution | T1547.001 | BlotchyQuasar achieves persistence by setting a registry RunKey |
| Defense Evasion | Obfuscated Files or Information | T1027.002 | BlotchyQuasar used software packing and multiple layers of encryption |
| Defense Evasion | Impair Defenses: Disable or Modify Tools | T1562.001 | BlotchyQuasar attempts to disable Windows Defender features |
| Collection | Input Capture: Keylogging | T1056.001 | BlotchyQuasar logs keystrokes from the infected system |
| Command and Control | Non-Application Layer Protocol | T1095 | BlotchyQuasar communicates over a socket-based C2 channel |
| Exfiltration | Exfiltration Over C2 Channel | T1041 | BlotchyQuasar exfiltrates stolen information over the C2 channel |
References
GAETANO PELLEGRINO - Senior Threat Researcher II
Comments ()