cyware.com
Open in
urlscan Pro
15.197.166.200
Public Scan
URL:
https://cyware.com/news/blotchyquasar-rat-targets-users-in-latam-region-2c992ff1
Submission: On April 15 via manual from SV — Scanned from DE
Submission: On April 15 via manual from SV — Scanned from DE
Form analysis 1 forms found in the DOM
<form class="form-inline" data-hs-cf-bound="true"><input type="text" placeholder="Search Topic, Events" value="" class="mr-sm-2 mr-md-0 w-100 bg-lighter border-lighter py-3 pr-5 form-control form-control-sm" id="__BVID__23">
<a class="cursor-pointer position-absolute" style="right:35px;"><i class="icon icon-search"></i></a></form>Text Content
* Alerts * Events * DCR * * Explore Cyware Products Alerts Events DCR Go to listing page BLOTCHYQUASAR RAT TARGETS USERS IN LATAM REGION * Malware and Vulnerabilities * July 18, 2023 * Cyware Alerts - Hacker News * * * * * IBM Security X-Force has dissected a new attack campaign that used BlotchyQuasar RAT to target Latin Americans. The campaign was first detected in late April and continued through May. A GLANCE AT THE NEW BLOTCHYQUASAR ATTACK METHOD Likely developed by the Hive0129 cybercriminal group, BlotchyQuasar was distributed by a phishing email impersonating government agencies in Latin America. * The email informed the recipients of their tax status and prompted them to click on a link within the email. * The link was geofenced using a link generated with the Geo Targetly service. Once the victim clicked on it, it caused the download of a password-protected archived LHA file. * Upon decrypting the archive file, a .NET malware loader identified as RoboSki would be downloaded onto the victim’s system. * This RoboSki loader ultimately led to the deployment of BlotchyQuasar RAT in the final stage of the infection chain. Researchers noted that the RoboSki loader was not only used by the Hive0129 group, but was also leveraged by other low-profile threat actors to deploy various RATs and stealers, such as AgentTesla, FormBook, or LokiBot, via phishing emails. ABOUT THE BLOTCHYQUASAR VERSION The version of BlotchyQuasar RAT used in the campaign is under active development and has been in the wild for more than two years. * It targeted personal and enterprise applications used for financial transactions in the most popular banks in Latin America, specifically Colombia, Ecuador, and Bolivia. * As the malware variant continued to evolve, several features were found overlapping with a malware called ProyectoRAT, reported in 2019, targeting users in Latin America * The most recent addition included the Google Chrome Kiosk feature, which was likely added earlier this year. LATAM IN THE FOCUS The BlotchyQuasar campaign comes days after a similar phishing campaign was observed targeting users in the LATAM region. Criminals used the TOITOIN trojan which was meant to collect system information and extract data from popular web browsers, including Google Chrome, Microsoft Edge, Internet Explorer, Mozilla Firefox, and Opera from LATAM users. CONCLUSION X-Force researchers assess that Hive0129 threat actors will likely continue to enhance their tools and launch more phishing operations within the LATAM region. As suggested by security researchers, IOCs associated with the attack campaign will help organizations in eliminating or blocking the threat. * BlotchyQuasar RAT * LATAM * RoboSki loader * Hive0129 * ProyectoRAT Publisher CYWARE Previous GAMAREDON APT STEALS DATA WITHIN AN HOUR Breaches and Incidents Next TEAMTNT STEALS TO AZURE AND GOOGLE CLOUD CREDENTIALS Breaches and Incidents -------------------------------------------------------------------------------- CATEGORIES Expert Blogs and Opinion Innovation and Research The Hacker Tools Incident Response, Learnings Malware and Vulnerabilities Breaches and Incidents Laws, Policy, Regulations Companies to Watch Trends, Reports, Analysis Strategy and Planning Mobile Security Govt., Critical Infrastructure Identity Theft, Fraud, Scams Security Culture New Cyber Technologies Major Events Cyber Glossary Threat Actors Security Products & Services Threat Intel & Info Sharing Emerging Threats Geopolitical, Terrorism Internet-of-Things Computer, Internet Security Social Media Threats Security Tips and Advice Interesting Tweets Marketplace Did You Know? Physical Security RESOURCES Cyber Fusion Center Guide EVENTS Conference Webinar Summit Course Symposium Talk Seminar Others -------------------------------------------------------------------------------- News and Updates, Hacker News Get in touch with us now! 1-855-692-9927 -------------------------------------------------------------------------------- Download Cyware Social App Terms of Use Privacy Policy © 2023