"Blind Eagle" attacks Colombia: how a letter from the tax office can lead to a complete compromise

Friend

Professional
Messages
2,672
Reaction score
921
Points
113
Behind the harmless PDF hides a trap that is difficult to escape.

The Colombian insurance sector has been targeted by the BlindEagle hacking group, which has been actively distributing a modified version of the well-known Quasar RAT malware since June 2024. Researchers from Zscaler said in their report that the attacks begin with phishing emails that are disguised as official messages from the Colombian tax service.

BlindEagle, also known as AguilaCiega and APT-C-36, has been attacking organizations and individuals in South America for years. They mainly target government and financial institutions in Colombia and Ecuador, but just last month we described how the group attacked Brazilian organizations.

The main tool for spreading malware is phishing emails that contain links to malicious files. These emails contain either attached PDF files or links in the text that lead to the download of ZIP archives hosted on Google Drive. Notably, the files are downloaded from compromised accounts that previously belonged to Colombian government organizations.

The attack is based on creating a sense of urgency in the victim. Attackers send notifications, allegedly on behalf of the tax service, about the need for urgent payment of tax arrears. This forces recipients to open malicious links, which is the beginning of the infection process.

The ZIP archive hides a modified version of the Quasar RAT, dubbed BlotchyQuasar. The malware is additionally protected by obfuscation tools, which makes it difficult to analyze and identify. Such methods were described in detail in an IBM study conducted in July 2023.

BlotchyQuasar is capable of intercepting keystrokes, executing commands through the shell, stealing data from browsers and FTP clients, and monitoring the victim's banking and payment services in Colombia and Ecuador. In addition, the malware uses the Pastebin service to obtain C&C server data, as well as Dynamic DNS services to host management domains.

To hide its infrastructure, BlindEagle uses VPN services and compromised routers, mainly located in Colombia. Experts note that this group continues to use similar strategies to disguise its attacks.

BlindEagle continues to prove that even well-known tools such as the Quasar RAT can become dangerous weapons in the hands of experienced attackers if modified and used in targeted attacks. Sophisticated methods of hiding infrastructure and skillful disguise as official agencies underscore the importance of enhanced cyber defenses, especially for financial and government organizations, which remain priority targets for such groups.

Source
 
Top