Israeli fintech firms hit by Cardinal RAT malware

The IT security researchers at Palo Alto Networks’ Unit 42 have discovered a malware that has been targeting Israeli cyberspace especially those dealing with technology and financial sector.

Dubbed Cardinal RAT (remote access Trojan) by researchers; the malware is currently targeting two Israeli fintech companies developing forex and cryptocurrency trading related software. The malware has been around since April 2017 and lets hackers take remote control of the targeted system.

See: New FlawedAmmyy RAT steals data and intercepts audio chat

According to a blog post by Palo Alto Networks, the malware went undetected for the last two years and conducted low-volume attacks until now when researchers identified its updated version using “Carp Downloader” to drop its payload through macros obfuscated in Microsoft documents.

The malware using phishing emails to target its victims especially those individuals involved in trading forex or cryptocurrency sector.

Upon infecting the targeted device; the malware updates itself, collect user data, recover passwords, enable keylogging, take screenshots, download new files, acts as a reverse proxy, execute commands, uninstall itself before cleaning cookies from browsers. 

Obfuscation present in Cardinal RAT payload (Image credit: Palo Alto Networks)

Unit 42 researchers also uncovered a link between Cardinal RAT and EVILNUM, a JavaScript-based persistent malware used in similar attacks. This happened after one of the targeted fintech firms shared a malware sample with Palo Alto Networks in a similar timeframe during which it was hit by Cardinal.

Some of EVILNUM’s capabilities include setting up persistence, running arbitrary commands, downloading of additional files and taking screenshots.

Even if the two families are not linked, they both have similar targeting interests, and so FinTech organizations should ensure they are protected against the malware used. Whilst we haven’t been able to gain an insight into what the attackers do once successfully on a target network, it’s likely (based on the targets) they use their access to facilitate financial gain, said Tom Lancaster and Josh Grunzweig from Palo Alto Networks.

See: Top 10 Best Antivirus software for 2019

Furthermore, researchers advice that companies should keep their spam filtering on, update their Windows machines to the latest versions, make policy and do not allow inbound e-mails with LNK file as attachments or inbound e-mails with attached ZIP files containing a single LNK file inside them.

Did you enjoy reading this article? Like our page on Facebook and follow us on Twitter.

Related Posts