The IT security researchers at Palo Alto Networks’ Unit 42 have discovered a malware that has been targeting Israeli cyberspace especially those dealing with technology and financial sector.
Dubbed Cardinal RAT (remote access Trojan) by researchers; the malware is currently targeting two Israeli fintech companies developing forex and cryptocurrency trading related software. The malware has been around since April 2017 and lets hackers take remote control of the targeted system.
According to a blog post by Palo Alto Networks, the malware went undetected for the last two years and conducted low-volume attacks until now when researchers identified its updated version using “Carp Downloader” to drop its payload through macros obfuscated in Microsoft documents.
The malware using phishing emails to target its victims especially those individuals involved in trading forex or cryptocurrency sector.
Upon infecting the targeted device; the malware updates itself, collect user data, recover passwords, enable keylogging, take screenshots, download new files, acts as a reverse proxy, execute commands, uninstall itself before cleaning cookies from browsers.
Some of EVILNUM’s capabilities include setting up persistence, running arbitrary commands, downloading of additional files and taking screenshots.
Even if the two families are not linked, they both have similar targeting interests, and so FinTech organizations should ensure they are protected against the malware used. Whilst we haven’t been able to gain an insight into what the attackers do once successfully on a target network, it’s likely (based on the targets) they use their access to facilitate financial gain, said Tom Lancaster and Josh Grunzweig from Palo Alto Networks.
Furthermore, researchers advice that companies should keep their spam filtering on, update their Windows machines to the latest versions, make policy and do not allow inbound e-mails with LNK file as attachments or inbound e-mails with attached ZIP files containing a single LNK file inside them.