New Phishing Attack on Insurance Firms with Modified Quasar RAT

The Colombian insurance sector has come under attack by a threat actor known as Blind Eagle, who has been using a customized version of the Quasar Remote Access Trojan (RAT) since June 2024.

This group, also referred to as AguilaCiega, APT-C-36, and APT-Q-98, has a history of targeting organizations and individuals in South America, with a particular focus on Colombia and Ecuador’s government and finance sectors.

The attack begins with phishing emails impersonating the Colombian tax authority, aiming to deceive recipients into clicking on malicious links. These links, either embedded in a PDF attachment or directly within the email body, redirect users to ZIP archives hosted on a Google Drive folder tied to a compromised account belonging to a regional government organization in Colombia.

To increase the likelihood of success, Blind Eagle employs social engineering tactics by sending fake notifications that claim to be seizure orders for unpaid taxes. This tactic is designed to create panic and prompt the victim to take immediate action, making them more likely to fall for the scam.

The ZIP archive contains a modified version of the Quasar RAT, called BlotchyQuasar, which uses additional layers of obfuscation with tools like DeepSea or ConfuserEx to make it harder to detect and analyze.

This RAT is equipped with a range of malicious capabilities, including logging keystrokes, executing shell commands, stealing sensitive data from web browsers and FTP clients, and monitoring user activities on specific banking and payment services in Colombia and Ecuador.

Blind Eagle further complicates detection by using Pastebin to retrieve the command-and-control (C2) domain, while hosting it on Dynamic DNS (DDNS) services. The group also shields its infrastructure using a network of VPN nodes and compromised routers, predominantly located in Colombia, to maintain anonymity and avoid detection.

This attack illustrates the persistent nature of Blind Eagle’s tactics, continuing their strategy of targeting organizations in South America through sophisticated phishing schemes.

To prevent such attacks, organizations should implement comprehensive email security measures, such as advanced phishing detection tools and employee awareness training to recognize suspicious emails. Regularly updating software, conducting vulnerability assessments, and using strong multi-factor authentication (MFA) can also significantly reduce the risk of infection.

Additionally, employing network segmentation and monitoring unusual activity patterns can help detect and contain threats before they cause significant damage.