May 22, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Data Breach at Payment Gateway Impacts 1.7 Million Credit Card Holders
September 10, 2024Multiple QNAP Products Vulnerabilities
September 10, 2024Data Breach at Payment Gateway Impacts 1.7 Million Credit Card Holders
September 10, 2024Multiple QNAP Products Vulnerabilities
September 10, 2024
Severity
High
Analysis Summary
A threat actor known as Blind Eagle is targeting the insurance industry in Colombia intending to deliver a modified strain of the Quasar remote access trojan (RAT), which has been known since June 2024.
Cybersecurity researchers said, “Attacks have originated with phishing emails impersonating the Colombian tax authority.”
The advanced persistent threat (APT), also going by the names AguilaCiega, APT-C-36, and APT-Q-98, has a history of targeting South American institutions and individuals, especially those associated with the banking and government sectors in Ecuador and Colombia. According to recent research, the attack chains begin with phishing emails that trick recipients into clicking on malicious websites that act as a gateway for the infection process.
The email contains links to ZIP archives stored in a Google Drive folder linked to a hijacked account that is connected to a regional government institution in Colombia. The URLs can be found directly in the email body or embedded in a PDF attachment. Blind Eagle's bait consisted of notifying the victim that there was a seizure order pending payment of unpaid taxes. This is meant to instill a sense of urgency and put the victim under pressure to act immediately.
A Quasar RAT variation known as BlotchyQuasar is included in the download. It adds more layers of obfuscation utilizing tools like DeepSea or ConfuserEx to thwart attempts at analysis and reverse engineering. The malware can record keystrokes, run shell commands, steal information from FTP clients and web browsers, and keep track of a victim's transactions with particular banking and payment services based in Ecuador and Colombia.
To obtain the command-and-control (C2) domain, it additionally uses Pastebin as a dead drop resolver. The threat actor hosts the C2 domain by using Dynamic DNS (DDNS) services. Usually, Blind Eagle hides its infrastructure behind a network of compromised routers and VPN nodes, most of which are situated in Colombia. This attack serves as evidence that this tactic is still being used.
Impact
- Keylogging
- Command Execution
- Information Theft
- Cyber Espionage
Indicators of Compromise
Domain Name
- edificiobaldeares.linkpc.net
- equipo.linkpc.net
- perfect5.publicvm.com
- perfect8.publicvm.com
MD5
- b83f6c57aa04dab955fadcef6e1f4139
SHA-256
- ec2dd6753e42f0e0b173a98f074aa41d2640390c163ae77999eb6c10ff7e2ebd
SHA-1
- a68cac786b47575a0d747282ace9a4c75e73504d
URL
- https://pastebin.com/raw/XAfmb6xp
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
- Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
- Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
- Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
