HQ/EMEAFind out how we can help your business
New cybersecurity research has analysed a new threat campaign that leverages the BlotchyQuasar RAT to target organisations in the Latin American region. Based on reports, the newly discovered campaign occurred in late April and continued until May.
Researchers believe that the developer of the remote access trojan is the Hive0129 cybercriminal group. Moreover, the operators of the BlotchyQuasar RAT primarily distribute the payload through phishing emails that impersonate government agencies in Latin America.
The BlotchyQuasar RAT operators use lures such as tax status to bait targets.
The BlotchyQuasar RAT email informs recipients about their tax status and instructs them to access a link. The attacker geofences the link through a link generated with eh Geo Targetly service.
The phishing email will cause the download of a password-protected LHA file once the victim accesses it.
Next, a dot net malware loader called RoboSki will be downloaded onto the victim’s system upon the decryption of the archive.
RoboSki will then deploy the BlotchyQuasar RAT in the final phase of the infection process. Researchers noted that the Hive0129 is not an exclusive group with access to the RoboSki loader. The loader also became a weapon for other low-profile threat groups, such as Formbook, Lokibot, and AgentTesla.
However, researchers noted that the BlotchyQuasar RAT version used in the campaign is under active development and has been circulating in the cybercriminal landscape for more than a couple of years.
Its most significant attacks occurred on enterprise applications utilised for financial transactions in Latin America’s most well-known financial institutions. Furthermore, other researchers explained that as the malware continued to evolve, it revealed features overlapping with another malware called ProyectoRAT that appeared in 2019, targeting Latin American users.
Earlier this year, the RAT developers also included an ability to target the Google Chrome Kiosk tool.
Experts claimed that the Hive0129 threat group would likely continue to improve their malicious tools to launch more phishing campaigns against the Latin American region. Therefore, entities within the area should study the IOCs associated with the attack campaign to help them prevent or mitigate such threats.
