BlindEagle, a South American-focused APT group, launched a new campaign in June 2024 targeting Colombian insurance companies where the attackers used phishing emails impersonating the Colombian tax authority to lure victims into clicking on malicious links, which led to the installation of a heavily obfuscated variant of BlotchyQuasar RAT.
The malware enabled BlindEagle to steal payment-related data from the compromised systems as researchers identified additional malicious domains associated with this campaign, highlighting the ongoing threat posed by BlindEagle to the Colombian insurance sector.
BlindEagle attacks start with phishing emails impersonating Colombian tax authority (DIAN) to target insurance companies, where the emails contain a PDF attachment and a download URL for a password-protected ZIP archive hosted on a compromised Colombian government Google Drive, which is included in the email.
Analysis suggests the emails originated from the attacker’s infrastructure via a Powerhouse Management VPN to mask their location, where the ZIP archive contains a malicious .NET BlotchyQuasar executable.
BlotchyQuasar, a sophisticated RAT, employs multiple layers of obfuscation to evade detection. The initial layer, concealed within a ZIP archive, decrypts a nested DLL, SimpleLogin.dll.
It extracts and transforms a bitmap resource, HSOm, to reveal a hidden DLL, Tyrone.dll, which in turn decrypts the final payload, Client.exe, which is the actual BlotchyQuasar malware hindering reverse engineering efforts.
BlotchyQuasar retrieves its command-and-control (C2) domain from Pastebin. A Base64-encoded and 3DES-encrypted string is fetched from a specific Pastebin URL and decrypted using a key derived from the MD5 hash of “qualityinfosolutions.”
The resulting C2 domain is used for communication over port 9057. To monitor user interactions with banking and payment services, BlotchyQuasar examines window titles for predefined strings associated with targeted organizations.
Detected interactions are logged as references in an XML file named “settings.xml” stored in the startup folder, as the malware primarily targets Colombian and Ecuadorian banks.
It is malware that steals login credentials and other sensitive information, which logs keystrokes and stores them in encrypted files within the %APPDATA%\GPrets directory. The log files use AES in CBC mode for encryption with a hardcoded key and PKCS7 padding.
The decryption process involves retrieving the 32-byte HMAC SHA256 hash, 16-byte random IV, and the encrypted payload from the log file. Then, a Python script with the Crypto library can be used to decrypt the payload using the AES key, IV, and CBC mode.
ThreatLabz has attributed a recent malware campaign targeting the Colombian insurance sector to the threat actor BlindEagle, which leveraged phishing emails impersonating DIAN to distribute the BlotchyQuasar RAT, a variant of QuasarRAT.
The threat actor’s use of DDNS services, compromised routers, and VPN nodes aligns with their past tactics. Given their continued activity, organizations in the targeted sectors should remain vigilant and adopt robust security measures to mitigate the risks associated with BlindEagle attacks.