Cardinal RAT Malware Goes After Israeli Fintech and Crypto Firms Per Unit 42 Research Report
Unit42, the cybersecurity department of Palo Alto Networks, has published a report on March 19, 2019, revealing that the Cardinal Remote Access Trojan (RAT) malware, a kind of malware that remotely takes control of its victim's computer, is now targeting the systems of Israeli cryptocurrency and financial technology (fintech) firms.
A Deadly Malware
According to Unit42, an older version of the Cardinal RAT malware was initially discovered in April 2017 when it was trying to examine the cause of an attack against two Israeli firms that develop crypto and forex trading software.
However, the latest update to Cardinal RAT allows the malware to operate in a more sophisticated way, making it harder to detect and analyze.
“Unlike previously seen samples, this latest version of Cardinal RAT employs various obfuscation techniques to hinder analysis of the underlying code,”
stated the team.
Explaining further, Unit42 noted that
“the first layer of obfuscation comes in the form of steganography; the initial sample is compiled with .NET and contains an embedded bitmap (BMP) file. When executed, the malware will read the BMP file, parse out pixel data from the image, and decrypt the result using a single-byte XOR key.”
Cardinal RAT Steals Victims Data
The researchers also hinted that the payload of the latest version of Cardinal RAT does not differ significantly from the original in terms of their mode of operation and capabilities.
Reportedly, when RAT gets into a victim's computer, it quickly steals vital data, updates its settings, acts as a reverse proxy, and executes malicious commands before finally deleting itself from the system.
That's not all; once Cardinal is done with the above processes, it skillfully moves on to recover the victim's passwords, downloads and executes files, logs keypresses, takes screenshots, automatically updates itself and clears all cookies on the user's browser.
Cardinal RAT Operates Like EVILNUM
Per the team, Cardinal RAT has almost the same modus operandi with EVILNUM, a dangerous malware that also targets crypto and fintech firms.
“When examining files submitted by the same customer in a similar timeframe to the Cardinal RAT samples, we discovered that the customer had also submitted a malware family we'd been tracking as EVILNUM. From our viewpoint this is another family that seems to be only interested in attacking finance-related firms,”
Unit 42 describes EVILNUM as a first-stage malware family, whose primary objective is to give a bad actor vital information about the host computer, to enable them to know the other malware tey could install on the system.
Although there have not been any reported cases of crypto thefts facilitated by both EVILNUM and Cardinal RAT attacks, the researchers have however concluded that firms in the crypto and fintech sector must install a robust spam filtering system, carry out proper system administration and regularly update their windows hosts to avoid being attacked.