According to research firm Unit 42 which is under the Palo Alto networks a malware detected two years ago in 2017 and had gone silent has sprouted up and launched attacked to firms. The malware in question Cardinal RAT malware is also known as Remote Access Trojan has come back to life and attacked several firms one a cryptocurrency trading software company and the other two Fintech Israel based firms.
According to Unit 42 report, it was easy for them to discover the malware since they were keeping tabs on the malware. Furthermore, according to their research, they also noted the malware received some updates which enable it to hide for this long and also avoid security expert’s analysis. Moreover, according to Unit 42, the updated version of Malware Cardinal RAT resembles the mechanism used to create another malware EVILNUM.
How Malware gets Into the Victim’s Machine
Cardinal RAT uses a novel technique to launch its attack to infect its target computer through macros a Microsoft Excel feature and Carp a downloader. After launching its initial attack, Cardinal RAT gets to work and compiles its source code into an executable form and deploys the malware. Apart from the above, Cardinal RAT also uses several other techniques to achieve its goal such as steganography. The latter is where it leverages data embedded in Bitmap (BMP) image. The latter is an image with a logo which is harmless to the victim’s eyes. However, upon opening the image, the code embedded in it executes an installation command which installs the malware.
The Aim of the Malware
After successfully being installed, Cardinal RAT aim is to steal its victim’s sensitive data inclusive of usernames, passwords and sends the data back to the attacker. Through that, the attacker has the upper hand and can steal your digital assets. In addition to stealing personal data, Cardinal RAT also takes a screenshot of its victim’s computer. Furthermore, the malware also updates settings, acts as a reverse proxy, can execute commands, keylogging, download and execute new files command. In a bid to keep its actions undetected Cardinal RAT now cleans the cookies from a browser and uninstall itself. The latter ensures the malware leaves no traces of its attack.
Though Unit 42 didn’t disclose additional information concerning the firms attacked, their report shows the malware’s target was tech firms in Israel responsible for making software for crypto and forex trading.