The IT security researchers at Palo Alto Networks’ Unit 42 have discovered a malware that has been targeting Israeli cyberspace especially those dealing with technology and financial sector.
Unit 42 originally discovered Cardinal RAT in 2017, at the time tying it to a downloader called Carp that leverages macros in Microsoft Excel documents to deploy the remote access trojan.
The RAT had already been active for two years in 2017, managing to stay under the radar with its low-volume campaigns.
The latest upgrades to Cardinal RAT are intended to minimize future detection, using obfuscation techniques, including an instance of stenography involving an embedded bitmap (BMP) file that actually contains a malicious DLL.
Dubbed Cardinal RAT (remote access Trojan) by researchers; the malware is currently targeting two Israeli fintech companies developing forex and cryptocurrency trading related software.
The malware has been around since April 2017 and lets hackers take remote control of the targeted system.
According to a blog post by Palo Alto Networks, the malware went undetected for the last two years and conducted low-volume attacks until now when researchers identified its updated version using “Carp Downloader” to drop its payload through macros obfuscated in Microsoft documents.
The malware using phishing emails to target its victims especially those individuals involved in trading forex or cryptocurrency sector.
Upon infecting the targeted device; the malware updates itself, collect user data, recover passwords, enable keylogging, take screenshots, download new files, acts as a reverse proxy, execute commands, uninstall itself before cleaning cookies from browsers.
Obfuscation present in Cardinal RAT payload (Image credit: Palo Alto Networks)
Unit 42 researchers also uncovered a link between Cardinal RAT and EVILNUM, a JavaScript-based persistent malware used in similar attacks.
This happened after one of the targeted fintech firms shared a malware sample with Palo Alto Networks in a similar timeframe during which it was hit by Cardinal.
Some of EVILNUM’s capabilities include setting up persistence, running arbitrary commands, downloading of additional files and taking screenshots.
Even if the two families are not linked, they both have similar targeting interests, and so FinTech organizations should ensure they are protected against the malware used. Whilst we haven’t been able to gain an insight into what the attackers do once successfully on a target network, it’s likely (based on the targets) they use their access to facilitate financial gain, said Tom Lancaster and Josh Grunzweig from Palo Alto Networks.