Palo Alto Networks researchers spotted a previously unknown remote access trojan (RAT) dubbed the Cardinal RAT which uses a unique technique involving malicious Excel macros.
Researchers said the RAT has been active for more than two years and so far has operated at a very low volume during this period and totalling roughly 27 samples, according to an April 20 blog post.
One of the reasons this RAT remained undetected so long is because it is delivered using a downloader dubbed “Carp” which uses macros in Microsoft Excel documents to compile embedded C# (C Sharp) Programming Language source code into an executable that in turn is run to deploy malware family, researchers said in the post.
“This can help the downloader evade some detection,” Josh Grunzweig, malware researcher with Unit 42, Palo Alto Networks told SC Media. “Also the very low prevalence of both the Carp downloader and Cardinal RAT help both to go undetected: in essence they’ve been able to fly under the radar.”
Users are usually infected when a malicious doc is sent to the target via spam email which entices them into opening the document and running the macros. Afterward the Carp Downloader downloads Cardinal RAT from secure.dropinbox[.]pw using HTTP on port 443 (not HTTPS), and decrypts it using AES-128 and then executes it.
Grunzweig said it’s important to note that the Excel macros, the Carp Downloader and Cardinal RAT all execute in the user’s security context.
“This means that for a user running with limited privileges, those limitations would apply to the macros, downloader and RAT,” he said. “Also, there are no attacks against vulnerabilities (exploits) here: this is malicious code that is run by social engineering only.”
He added the use of uncompiled source code is an unusual and innovative technique.