Advanced persistent threat operation Blind Eagle, also known as APT-C-36, APT-Q-98, and AguilaCiega, has deployed a new variant of the Quasar RAT backdoor dubbed "BlotchyQuasar" in intrusions against insurance organizations across Colombia, The Hacker News reports.
Blind Eagle's attacks commence with the distribution of Colombia tax authority-spoofing phishing emails luring recipients into clicking embedded links redirecting to a Google Drive folder-hosted ZIP archive that facilitates BlotchyQuasar execution, according to a Zscaler ThreatLabz analysis. Aside from facilitating keystroke logging, shell command execution, banking and payment service monitoring, and browser and FTP client data exfiltration, BlotchyQuasar also enabled command-and-control domain retrieval through the usage of Pastebin as a dead drop resolver while bypassing detection through the ConfuserEx and DeepSea tools. "Blind Eagle typically shields its infrastructure behind a combination of VPN nodes and compromised routers, primarily located in Colombia. This attack demonstrates the continued use of this strategy," said Zscaler ThreatLabz researcher Gaetano Pellegrino.
