IntroductionIn June 2024, Zscaler ThreatLabz detected fresh activity from BlindEagle, an advanced persistent threat (APT) actor also identified as AguilaCiega, APT-C-36, and APT-Q-98. BlindEagle predominantly focuses on organizations and individuals from the government and finance sector in South America, particularly in Colombia and Ecuador. BlindEagle’s primary method to gain initial access to the targets’ systems is through phishing emails. Once accessed, the threat actor usually employs commodity .NET Remote Access Trojans (RATs), like AsyncRAT, RemcosRAT, and more, to steal credentials from various banking service providers. BlindEagle is also known for operating repurposed or customized variants of commodity RATs like BlotchyQuasar, a variant of QuasarRAT.In this blog, we focus on BlindEagle’s use of the BlotchyQuasar RAT to target the Colombian insurance sector to steal payment-related data.Key TakeawaysBeginning in June 2024, BlindEagle was observed targeting the Colombian insurance sector.Attacks have originated with phishing emails impersonating the Colombian tax authority.BlindEagle has leveraged a version of BlotchyQuasar for attacks, which is heavily protected by several nested obfuscation layers.Zscaler ThreatLabz uncovered additional malicious domains that are likely used by this threat actor.Technical AnalysisOverviewA BlindEagle attack chain typically originates with a phishing email that contains a PDF attachment and a URL that points to a ZIP archive file. The PDF attachment contains the same URL as the one provided in the email body. In other words, the ZIP file can be either downloaded from the PDF or directly from the email.Upon clicking the URL (in either the email body or PDF), the victim downloads a ZIP archive from a Google Drive folder. This specific folder is under the ownership of a compromised account belonging to a regional government organization in Colombia. The ZIP archive contains a .NET BlotchyQuasar executable.The figure below provides for a high-level overview of the attack chain.Figure 1: A high-level overview of a BlindEagle attack chain, where the initial phishing email includes a download URL for a password-protected compressed archive and the final payload is a packed BlotchyQuasar sample.Phishing email as initial vectorIn the phishing email, the threat actor impersonated the Dirección de Impuestos y Aduanas Nacionales (DIAN), which is the Colombian National Tax and Customs Authority. The lure used by BlindE
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: