Cyberattack attempts to deploy the keylogging, screenshot-taking, password-stealing Cardinal RAT malware.
A trojan malware campaign is attempting to compromise financial technology and cryptocurrency trading companies in an effort to harvest credentials, passwords and other confidential information.
The cyberattacks leveraging an updated version of the Cardinal RAT malware have been spotted and detailed by Unit 42, the research division of security company Palo Alto Networks.
Cardinal RAT remained under the radar for two years before being uncovered in 2017 – but having that cover blown hasn’t stopped cyber criminals from deploying the malware in an effort to stealthily infiltrate the networks of high-value targets using Windows systems.
The previous version of Cardinal used phishing emails and malicious document lures to compromise targets and this latest variant appears to use similar tactics.
Information within the payload identifies the malware has version 1.7.2 – the 2017 incarnation was version 1.4, suggesting its malicious authors have been busy providing updates in the time since.
That includes the introduction of new obfuscation techniques to hide the underlying code, with the first layer of this coming from deploying steganography to hide the sample which is initially compiled in .NET and embedded in a .BMP image file.
In addition to the obfuscation, the malware itself has seen some minor tweaks in how it’s configured: but the core goal of Cardinal remains the same – infiltrate the target PC and carry out malicious activity.
The malware can collect usernames and passwords, capture screenshots and perform keylogging – all enabling the attacker to get their hands on the sort of information that can help them gain access to sensitive accounts.
Cardinal can also download and execute new files, update itself and update settings of the machine. It can also uninstall itself and clear cookies from browsers in an effort to keep it’s activity hidden when the deed is done.
This campaign appears to be specifically focused on fintech organisations in Israel, specifically those who write software relating to forex and cryptocurrency trading.
There’s currently no evidence to suggest that the attacks have been successful, but it’s likely that cyber criminals view financial technology firms as a lucrative target – if they can break into the network and reap the rewards. So the attackers are likely to keep trying.
“At its simplest, this is where the attackers felt they could get the most return on their investment of time and money resources,” Jen Miller Osborn, deputy director of threat intelligence for Unit 42 at Palo Alto Networks told ZDNet.
“This indicates another aspect of thoughtfulness and sophistication on the part of the attackers. Rather than carry out a broad style attack, they’ve been very focused in their attacks. This in turn makes discovery less likely,” she added.
While the exact details of the attacker remain unknown, researchers examining Cardinal RAT noticed one of the malware’s targets had also been targeted by attackers using another form of malware known as Evilnum.
It’s possible that Evilnum is being used as a loader for Cardinal – and potentially other malicious tools – and therefore developed by the same attack group. However, researchers also note that it could also be a case of two different attack groups attempting to compromise the same fintech organisations that they both see as a lucrative target.
The two forms of malware remain active, but a few basic procedures should stop organisations from falling victim.
“Running up-to-date security that can block malicious attachments and sites, encouraging users to only open attachments that they trust from parties that they trust and staying up to date on security updates can all help protect,” said Miller Osborn.
Unit 42 have detailed the Indicators of Compromise for Cardinal RAT and Evilnum in their analysis of the malware.
Date: March 21, 2019