A pair of Israeli financial technology companies were recently the target of a malware campaign featuring an updated version of the rarely seen Cardinal remote access trojan, researchers from Palo Alto Networks’ Unit 42 team are reporting.
Unit 42 originally discovered Cardinal RAT in 2017, at the time tying it to a downloader called Carp that leverages macros in Microsoft Excel documents to deploy the remote access trojan. The RAT had already been active for two years in 2017, managing to stay under the radar with its low-volume campaigns.
The latest upgrades to Cardinal RAT are intended to minimize future detection, using obfuscation techniques, including an instance of stenography involving an embedded bitmap (BMP) file that actually contains a malicious DLL.
In a March 19 blog post authored by researchers Tom Lancaster and Josh Grunzweig, Unit 42 recognizes the trojan’s latest iteration as version 1.7.2. As with its predecessors, Cardinal RAT is capable of collecting victim information, updating settings, acting as a reverse proxy, executing commands, recovering passwords, downloading and executing new files, keylogging, capturing screenshots and more.
According to the blog post, one of the two fintech companies also submitted a sample of EVILNUM malware to Palo Alto Networks around the same unspecified time that it was attacked by Cardinal RAT.
The primary purpose of EVILNUM is to provide attackers with data about the infected host before second-stage malware is downloaded. However, the January 2019 version of the malware has additional functionality, including taking screenshots and stealing local cookies, Palo Alto Networks reports.
Interestingly, the droppers for both Cardinal RAT and EVILNUM share similar phishing campaign lure documents, which typically reference lists containing the names and numbers of individuals involved in cryptocurrency and foreign exchange trading. It hardly seems a coincidence, then, that the two targeted fintech companies both write software related to cryptocurrency and forex trading.
Further investigation uncovered yet another organization (whose industry sector affiliation is not indicated in the report) that was also targeted by both Cardinal and EVILNUM– a highly unusual circumstance considering both malwares are distributed sparingly, Unit 42 notes.
While the Cardinal and EVILNUM families could potentially be related, Unit 42 does note that there are also considerable differences in the two malwares’ geographic distribution, delivery methods and infrastructure.
“Even if the two families are not linked, they both have similar targeting interests, and so fintech organisations should ensure they are protected against the malware used,” the blog post concludes. “Whilst we haven’t been able to gain an insight into what the attackers do once successfully on a target network, it’s likely (based on the targets) they use their access to facilitate financial gain.”