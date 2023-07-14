In late April through May 2023, IBM Security X-Force found several phishing emails leading to packed executable files delivering malware we have named BlotchyQuasar, likely developed by a group X-Force tracks as Hive0129. BlotchyQuasar is hardcoded to collect credentials from multiple Latin American-based banking applications and websites used within public and private environments. Similar operations conducted in late 2022 have also been noted delivering an earlier variant of this modified QuasarRAT by likely Spanish-speaking actors.

BlotchyQuasar, which X-Force describes as a banking trojan due to it containing a hardcoded list of banking applications, was developed on top of the QuasarRAT codebase, and is under active development and supports a wide range of different custom commands. Some of the most interesting features include the installation of root certificates and proxy auto-config URLs, which may be used in conjunction with Google Chrome Kiosk mode to impersonate financial institutions.

BlotchyQuasar has various commands to install specific third-party tools such as PuTTY, RDP, Chrome/Opera Portable, AnyDesk, TightVNC, hidden-VNC, NGINX server, Node.js server, Remote Utilities, WinPwnage, and credential stealers. The third-party tools are common post-exploitation tools used to enable human-operated attacks, along with enabling remote desktop protocols (RDP), and Server Message Block (SMB) tunneling.