The recipients are instructed to click on a link within the email, which directs them to the document described. X-Force detected an email phishing campaign from late April to late May 2023 impersonating government agencies in Latin America that are well written and claim to inform the recipient on their tax status (see screenshots below).
Phishing emails are designed to appear to be from Latin American government agencies and contain malicious attachments or links. Phishing emails are used to deliver commodity remote access trojans (RATs), such as Proyecto RAT, BitRAT, QuasarRAT, and most recently BlotchyQuasar.
Hive0129, tracked by X-Force since 2019, likely originates from South America with operations focused on targeting government and private entities, likely for financial data, business intelligence, and intellectual property information across Colombia, Ecuador, Chile, and Spain. The third-party tools are common post-exploitation tools used to enable human-operated attacks, along with enabling remote desktop protocols (RDP), and Server Message Block (SMB) tunneling.
Some of the most interesting features include the installation of root certificates and proxy auto-config URLs, which may be used in conjunction with Google Chrome Kiosk mode to impersonate financial institutions.īlotchyQuasar has various commands to install specific third-party tools such as PuTTY, RDP, Chrome/Opera Portable, AnyDesk, TightVNC, hidden-VNC, NGINX server, Node.js server, Remote Utilities, WinPwnage, and credential stealers. Similar operations conducted in late 2022 have also been noted delivering an earlier variant of this modified QuasarRAT by likely Spanish-speaking actors.īlotchyQuasar, which X-Force describes as a banking trojan due to it containing a hardcoded list of banking applications, was developed on top of the QuasarRAT codebase, and is under active development and supports a wide range of different custom commands. BlotchyQuasar is hardcoded to collect credentials from multiple Latin American-based banking applications and websites used within public and private environments. In late April through May 2023, IBM Security X-Force found several phishing emails leading to packed executable files delivering malware we have named BlotchyQuasar, likely developed by a group X-Force tracks as Hive0129.
0 kommentar(er)
