Blind Eagle Targets Colombian Insurance Sector with Customized Quasar RAT

A cyber-espionage group known as Blind Eagle has been identified targeting the Colombian insurance sector, using a modified version of the Quasar RAT to compromise networks and steal sensitive information. Blind Eagle, also known as AguilaCiega, has been active since June 2024 and has previously focused on government and financial institutions in South America, particularly Colombia and Ecuador.

Phishing Attacks as Initial Vector:

    • The attacks begin with phishing emails impersonating the Colombian tax authority, tricking victims with fake seizure orders due to alleged unpaid taxes.
    • These emails contain links to malicious ZIP archives hosted on Google Drive accounts of compromised Colombian government organizations.

Quasar RAT Variant:

    • Blind Eagle delivers a customized version of Quasar RAT, named BlotchyQuasar, which is highly obfuscated using tools like DeepSea and ConfuserEx to avoid detection.
    • Quasar RAT is capable of keylogging, executing shell commands, stealing web browser data, and monitoring banking services in Colombia and Ecuador.

Command-and-Control Infrastructure:

    • The malware communicates with its C2 server using Pastebin as a resolver to fetch the domain.
    • The C2 infrastructure is protected behind VPN nodes and compromised routers, primarily located within Colombia, with the actor using Dynamic DNS (DDNS) to host the C2 domain.

Stealing Financial Data:

    • The malware is specifically designed to capture interactions with banking and payment services, allowing Blind Eagle to collect financial data from compromised users and organizations.

Advanced Obfuscation Techniques:

    • To avoid analysis and reverse engineering, BlotchyQuasar uses deep layers of obfuscation with tools, making it difficult for security professionals to trace and analyze the attack.

Blind Eagle's continued focus on South America, particularly Colombia's government and financial sectors, presents a significant cyber threat. Organizations in the region should be on high alert for phishing emails and employ advanced security solutions to detect and mitigate attacks involving Quasar RAT and similar malware.