Since June 2024, the Colombian insurance sector has been the target of the malicious threat actors known as “Blind Eagle”. The APT group is also known as AguilaCiega, APT-C-36, and APT-Q-98. As per the analysis published by Zscaler ThreatLabz in the previous week, the group utilizes phishing emails as their primary attack method and has been primarily targeting government and financial institutions in South America, particularly Colombia and Ecuador. In their latest attack, the attackers have employed phishing emails disguised as communications from the Colombian tax authority to distribute a heavily obfuscated variant of the BlotchyQuasar malware. The report stated that a significant number of the targeted individuals are employees within the Colombian insurance industry.
The attack originates with BlindEagle sending phishing emails impersonating as the Colombian National Tax and Customs Authority (DIAN) to lure victims to a compromised Google Drive folder, posing as a tax-related notice. The emails aim to create a sense of urgency, claiming unpaid taxes have resulted in a seizure order. Upon downloading and opening the ZIP file, victims unknowingly execute the BlotchyQuasar malware.
BlotchyQuasar is a sophisticated and heavily obfuscated remote access tool (RAT) capable of performing a variety of malicious actions. It can log keystrokes, monitor banking activity, steal data from various applications, execute commands on the infected system, and carry out other harmful activities.
BlotchyQuasar’s command-and-control (C2) infrastructure relies on Pastebin to resolve encrypted C2 server details. The C2 domains are often hosted on compromised VPN nodes or routers in Colombia, a tactic consistent with BlindEagle’s previous operations. These domains frequently utilize Dynamic DNS (DDNS) services to host the C2 domain making it easier to evade detection.
These attacks are suspected to continue, as per ZScalar research, stating, “Zscaler ThreatLabz anticipates that BlindEagle will continue launching malware campaigns in the future. We remain vigilant in monitoring the activity of this threat actor to ensure our customers are well-protected against this threat.”
