One Trojan malware campaign tries to compromise financial technology, as well as crypto trading companies, in an effort of harvesting credentials, passwords, or some other confidential information.

Cyber attacks spotted by Unit 42

The cyber attacks which leveraged an updated version of the Cardinal RAT malware were actually detected and detailed by Unit 42, which is the research division of security company named Palo Alto Networks.

Cardinal RAT stayed under the radar for about two years before it was uncovered in 2017; however, having that cover blown has not stopped the cybercriminals from the deployment of malware, trying to infiltrate the networks of high-value targets utilizing Windows systems stealthily.

The versions of Cardinal from previously utilized phishing emails, as well as malicious document,  lures to compromise targets, and this latest variant seems to use similar tactics.

Information within the payload also identified that the malware has versions 1.7.2 – the incarnation from 2017 was 1.4, suggesting its malicious authors were quite busy in providing updates in the time since.

That includes the introduction of some new obfuscation techniques in order to mask the underlying code, with the primary layer of this coming from the deployment steganography, to mask the sample that was initially compiled in .NET and embedded in a.BMP image file.

Additionally to this additional obfuscation, the malware also saw some minor tweaks in how it is configured; however, the core goal of Cardinal is still the same – infiltrate the target PC and then carry out malicious activities.

The malware collecting usernames and passwords

The malware may also collect passwords and usernames, capture screenshot or perform keylogging – all of this enabling the attacker to get his or her hands on the sort of information that may help them in gaining access to sensitive accounts.

Cardinal may also download, as well as execute new files, update itself and also update settings of the machine. It may even uninstall itself and clear the cookies from certain browsers, trying to keep the activity hidden when the deed is already done.

The campaign also seems to be mainly focused on FinTech organizations in Israel, especially the ones that write software relating to forex and crypto trading.

There is no evidence right now which suggests that the attacks were successful, but it is probable that cybercriminals see the financial tech firms as a lucrative target – if they may actually break into the network and reap all the rewards. So, the attacks are probable to continue attempting.

The deputy director of threat intelligence for Unit 42 at Palo Alto Networks said this is where the criminals felt they may get the most return on their investment of money and time resources.

She added that this shows another aspect of sophistication and thoughtfulness on the part of the attackers. Instead of carrying out a broad style attack, they were focused on their attacks. This makes the discovery less probable.

Using the Evilnum malware

While exact details of the attacker are still unknown, the researchers that examine Cardinal RAT have noticed one of the targets of the malware was also targeted by the attackers with the use of another form of malware, which is known as Evilnum.

It is also possible that Evilnum was utilized as the loader for Cardinal, and potentially some other malicious tools, hence developed by the same attack group. But, the researchers also noted that it could be a case of two different attacks groups too, trying to compromise the identical FinTech organizations which the two of them see as a lucrative target.

The two different forms of malware are still active, but several necessary procedures have to stop organizations from falling victim.

Miller Osborn said that running up-to-date security which may block malicious attachments, as well as sites, encouraging users just to open the attachments which they trust from parties which they believe and staying up-to-date on security updates may all help protect.


Please enter your comment!
Please enter your name here