BlindEagle Targets Colombian Insurance Sector with BlotchyQuasar

Sept. 5, 2024, 5:17 p.m.

Description

BlindEagle, an advanced persistent threat actor, has been observed targeting the Colombian insurance sector using the BlotchyQuasar Remote Access Trojan. The attack chain begins with phishing emails impersonating the Colombian tax authority, containing links to malware hosted on compromised Google Drive accounts. BlotchyQuasar, a variant of QuasarRAT, is heavily obfuscated and capable of keylogging, stealing credentials, and monitoring banking activities. The malware communicates with command and control servers using dynamic DNS services and VPNs. This campaign demonstrates BlindEagle's continued focus on South American targets, particularly in Colombia, using tax-related lures and customized malware variants.

Date

Published: Sept. 5, 2024, 4:47 p.m.

Created: Sept. 5, 2024, 4:47 p.m.

Modified: Sept. 5, 2024, 5:17 p.m.

Indicators

ec2dd6753e42f0e0b173a98f074aa41d2640390c163ae77999eb6c10ff7e2ebd

b55ea05c32535a6089c3db3124163c023facd2ea7c42e21ad32c599e498a3bf5

7c24496d765ada6b1de182bb3a5e36894f699a855a17810dc163a615a47db714

7860838e0e073637ec889ba1f1564d363b6a16d6185f9cbb9bb30d38a394335b

503ba890a3a849057c199aa78367aec8e99d77270fc280df7f1988dff7331d80

22f98117e5e182bf3de5b86dbf29953163df88eff0a182729931b9976bf884c0

18f11ac8be104b23e282d01156ae251b59e9a93d5d504a32306f15358d4da019

69.167.8.118

Attack Patterns

BlotchyQuasar

RemcosRAT

QuasarRAT

AsyncRAT

BlindEagle

T1027.003

T1056.002

T1586.002

T1583.001

T1608.001

T1587.001

T1053.005

T1539

T1564.001

T1027.002

T1553.005

T1204.001

T1566.002

T1547.001

T1095

T1056.001

T1562.001

T1204.002

T1140

Additional Informations

Insurance

Finance

Government

Colombia

Ecuador