IBM Security X-Force has dissected a new attack campaign that used BlotchyQuasar RAT to target Latin Americans. The campaign was first detected in late April and continued through May.

A glance at the new BlotchyQuasar attack method

Likely developed by the Hive0129 cybercriminal group, BlotchyQuasar was distributed by a phishing email impersonating government agencies in Latin America.
  • The email informed the recipients of their tax status and prompted them to click on a link within the email.
  • The link was geofenced using a link generated with the Geo Targetly service. Once the victim clicked on it, it caused the download of a password-protected archived LHA file. 
  • Upon decrypting the archive file, a .NET malware loader identified as RoboSki would be downloaded onto the victim’s system. 
  • This RoboSki loader ultimately led to the deployment of BlotchyQuasar RAT in the final stage of the infection chain.
Researchers noted that the RoboSki loader was not only used by the Hive0129 group, but was also leveraged by other low-profile threat actors to deploy various RATs and stealers, such as AgentTesla, FormBook, or LokiBot, via phishing emails.

About the BlotchyQuasar version 

The version of BlotchyQuasar RAT used in the campaign is under active development and has been in the wild for more than two years.
  • It targeted personal and enterprise applications used for financial transactions in the most popular banks in Latin America, specifically Colombia, Ecuador, and Bolivia. 
  • As the malware variant continued to evolve, several features were found overlapping with a malware called ProyectoRAT, reported in 2019, targeting users in Latin America
  • The most recent addition included the Google Chrome Kiosk feature, which was likely added earlier this year.

LATAM in the focus

The BlotchyQuasar campaign comes days after a similar phishing campaign was observed targeting users in the LATAM region. Criminals used the TOITOIN trojan which was meant to collect system information and extract data from popular web browsers, including Google Chrome, Microsoft Edge, Internet Explorer, Mozilla Firefox, and Opera from LATAM users.

Conclusion

X-Force researchers assess that Hive0129 threat actors will likely continue to enhance their tools and launch more phishing operations within the LATAM region. As suggested by security researchers, IOCs associated with the attack campaign will help organizations in eliminating or blocking the threat.
Cyware Publisher

Publisher

Cyware