BlindEagle Targets Colombian Insurance Sector with BlotchyQuasar

In June 2024, Zscaler ThreatLabz detected new activity from BlindEagle, an advanced persistent threat (APT) actor targeting organizations and individuals in the government and finance sector in South America, particularly in Colombia and Ecuador. The primary method of gaining access to the target's systems is through phishing emails. Once accessed, the threat actor usually employs commodity .NET Remote Access Trojans (RATs), like AsyncRAT, RemcosRAT, and more, to steal credentials from various banking service providers. BlindEagle is also known for operating repurposed or customized variants of commodity RATs like BlotchyQuasar. The attack chain typically originates with a phishing email that contains a PDF attachment and a URL that points to a ZIP archive file. The ZIP archive contains a .NET BlotchyQuasar executable. The C2 communication for this sample leveraged the hardcoded port 9057. BlotchyQuasar implements a multitude of features, including the ability to monitor a victim's interactions with specific banking and payment services. It targets the browser and FTP client applications for information-stealing purposes. The malware accesses Pastebin to retrieve the current C2 domain. By successfully decrypting these pastes, we uncovered three more C2 domains: equipo.linkpc[.]net, perfect5.publicvm[.]com, and more.