Blind Eagle Aims at Colombian Insurance Sector with Personalized Quasar RAT

Sep 09, 2024Ravie LakshmananFinancial Security / Malware

A threat actor called Blind Eagle has been focusing on the Colombian insurance sector since June 2024 to distribute a personalized version of Quasar RAT, a well-known remote access trojan (

Sep 09, 2024Ravie LakshmananFinancial Security / Malware

Blind Eagle Targets Colombian Insurance Sector with Customized Quasar RAT

A threat actor called Blind Eagle has been focusing on the Colombian insurance sector since June 2024 to distribute a personalized version of Quasar RAT, a well-known remote access trojan (RAT).

Last week, Zscaler ThreatLabz researcher Gaetano Pellegrino shared in a new analysis that the attacks have been initiated through phishing emails posing as the Colombian tax authority.

Referred to as AguilaCiega, APT-C-36, and APT-Q-98, the advanced persistent threat (APT) has historically targeted entities and individuals mainly in South America, particularly those associated with the government and finance sectors in Colombia and Ecuador.

A Kaspersky analysis recently detailed the attack chains, which originate from phishing emails tempting recipients to click on malicious links that act as entry points for the infection process.

These links, either within a PDF attachment or directly in the email content, direct to ZIP archives stored on a Google Drive folder linked to a compromised account belonging to a local government entity in Colombia.

Pellegrino highlighted, “Blind Eagle used a bait of sending a victim a notice, claiming to be a seizure order due to unpaid tax dues, to create a sense of urgency and pressure the victim into immediate action.”

Inside the archive lies a variant of Quasar RAT named BlotchyQuasar, which incorporates additional levels of obfuscation using tools like DeepSea or ConfuserEx to impede analysis and reverse engineering endeavors. IBM X-Force previously elaborated on this in July 2023.

The malware enables functions such as keystroke logging, shell command execution, data theft from web browsers and FTP clients, and surveillance of a victim’s engagements with specific banking and payment services in Colombia and Ecuador.

Additionally, it uses Pastebin as a dead-drop resolver to retrieve the command-and-control (C2) domain, with the threat actor utilizing Dynamic DNS (DDNS) services for hosting the C2 domain.

“Blind Eagle usually conceals its infrastructure behind a mix of VPN nodes and compromised routers, primarily situated in Colombia,” mentioned Pellegrino. “This attack showcases the ongoing use of this tactic.”

Find this article intriguing? Follow us on Twitter and LinkedIn for more exclusive content we publish.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts