Description
BlindEagle, an advanced persistent threat actor, has been observed targeting the Colombian insurance sector using the BlotchyQuasar Remote Access Trojan. The attack chain begins with phishing emails impersonating the Colombian tax authority, containing links to malware hosted on compromised Google Drive accounts. BlotchyQuasar, a variant of QuasarRAT, is heavily obfuscated and capable of keylogging, stealing credentials, and monitoring banking activities. The malware communicates with command and control servers using dynamic DNS services and VPNs. This campaign demonstrates BlindEagle's continued focus on South American targets, particularly in Colombia, using tax-related lures and customized malware variants.
Date
| Published | Created | Modified |
|---|---|---|
| Sept. 5, 2024, 4:47 p.m. | Sept. 5, 2024, 4:47 p.m. | Sept. 5, 2024, 5:17 p.m. |
Indicators
ec2dd6753e42f0e0b173a98f074aa41d2640390c163ae77999eb6c10ff7e2ebd
b55ea05c32535a6089c3db3124163c023facd2ea7c42e21ad32c599e498a3bf5
7c24496d765ada6b1de182bb3a5e36894f699a855a17810dc163a615a47db714
7860838e0e073637ec889ba1f1564d363b6a16d6185f9cbb9bb30d38a394335b
503ba890a3a849057c199aa78367aec8e99d77270fc280df7f1988dff7331d80
22f98117e5e182bf3de5b86dbf29953163df88eff0a182729931b9976bf884c0
18f11ac8be104b23e282d01156ae251b59e9a93d5d504a32306f15358d4da019
69.167.8.118
Attack Patterns
BlotchyQuasar
RemcosRAT
QuasarRAT
AsyncRAT
BlindEagle
T1027.003
T1056.002
T1586.002
T1583.001
T1608.001
T1587.001
T1053.005
T1539
T1564.001
T1027.002
T1553.005
T1204.001
T1566.002
T1547.001
T1095
T1056.001
T1562.001
T1204.002
T1140
Additional Informations
Insurance
Finance
Government
Colombia
Ecuador