The Colombian insurance sector is under attack by a threat actor known as Blind Eagle, who has been deploying a customized version of the Quasar RAT, a well-known remote access trojan, since June 2024.
Zscaler ThreatLabz researcher Gaetano Pellegrino revealed in a recent analysis that the attacks start with phishing emails pretending to be from the Colombian tax authority.
Blind Eagle, also identified as AguilaCiega, APT-C-36, and APT-Q-98, has a history of targeting organizations and individuals in South America, especially in the government and finance sectors of Colombia and Ecuador.
The attack chain begins with phishing emails that lure recipients to click on malicious links, leading to a ZIP archive on Google Drive linked to a compromised account of a Colombian government organization.
The perpetrators use various tactics, including posing as tax collection agencies, to create urgency and coerce victims into taking immediate action.
The archive contains a variant of Quasar RAT named BlotchyQuasar, with added obfuscation layers using tools like DeepSea and ConfuserEx to impede analysis and reverse engineering.
This malware variant can log keystrokes, execute shell commands, steal data from browsers and FTP clients, and monitor interactions with banking and payment services in Colombia and Ecuador.
The malware uses Pastebin as a dead-drop resolver to fetch the command-and-control (C2) domain, with the threat actor employing Dynamic DNS (DDNS) services for the C2 domain.
Blind Eagle hides its infrastructure behind VPN nodes and compromised routers, typically based in Colombia, showcasing the persistent use of this approach in attacks.