BlindEagle Aims for Colombian Insurance Market with BlotchyQuasar

MITRE Techniques

• [T1583.001] Acquire Infrastructure: Domains – ‘BlindEagle uses DDNS services to create third level domains for C2.’
• [T1586.002] Compromise Accounts: Email Accounts – ‘BlindEagle controlled a Google Drive folder owned by a Colombian government organization.’
• [T1587.001] Develop Capabilities: Malware – ‘BlindEagle is operating BlotchyQuasar, which may be considered a customized variant of QuasarRAT.’
• [T1608.001] Stage Capabilities: Upload Malware – ‘BlindEagle staged a BlotchyQuasar sample on a compromised and publicly available Google Drive folder.’
• [T1566.002] Phishing: Spearphishing Link – ‘BlindEagle attempted to gain initial access to the victim’s system by using a phishing email including a link to download BlotchyQuasar malware.’
• [T1204.002] User Execution: Malicious File – ‘BlindEagle renamed the BlotchyQuasar sample to be consistent with the phishing email lure and push the victim to manually execute the malware.’
• [T1204.001] User Execution: Malicious Link – ‘BlindEagle’s attack chain starts with the victim clicking on a link included in the email body and in the attached PDF file.’
• [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – ‘BlotchyQuasar achieves persistence by setting a RunKey.’
• [T1053.005] Scheduled Task/Job: Scheduled Task – ‘BlotchyQuasar creates a scheduled task that launches itself every 3 minutes.’
• [T1562.001] Impair Defenses: Disable or Modify Tools – ‘If executed with elevated privileges, BlotchyQuasar attempts to disable several Defender features.’
• [T1564.001] Hide Artifacts: Hidden Files and Directories – ‘BlotchyQuasar creates hidden directories to store keylogger files.’
• [T1027.003] Obfuscated Files or Information: Steganography – ‘One protection layer includes a bitmap image as a .NET-managed resource.’
• [T1027.009] Obfuscated Files or Information: Embedded Payloads – ‘BlotchyQuasar malware is buried under three layers of encrypted code.’
• [T1027.013] Obfuscated Files or Information: Encrypted/Encoded File – ‘BlotchyQuasar stores the keylogger logs after encrypting them with AES.’
• [T1553.005] Subvert Trust Controls: Mark-of-the-Web Bypass – ‘BlotchyQuasar deletes the Zone.Identifier ADS to bypass the MOTW.’
• [T1027.002] Obfuscated Files or Information: Software Packing – ‘BlotchyQuasar loader is obfuscated with .NET obfuscators.’
• [T1140] Deobfuscate/Decode Files or Information – ‘The BlotchyQuasar C2 domain is decrypted with AES.’
• [T1056.001] Input Capture: Keylogging – ‘BlotchyQuasar logs keystrokes.’
• [T1539] Steal Web Session Cookie – ‘BlotchyQuasar can steal cookies and passwords from browsers and FTP clients.’
• [T1056.002] Video Capture – ‘BlotchyQuasar can control the webcams of infected systems.’
• [T1095] Non-Application Layer Protocol – ‘BlotchyQuasar establishes a socket-based C2 channel.’
• [T1041] Exfiltration Over C2 Channel – ‘BlotchyQuasar exfiltrates stolen information over the C2 channel.’
• [T1490] Inhibit System Recovery – ‘BlotchyQuasar deletes the shadow copies with the vssadmin utility.’