Posted on January 3, 2023 at 3:35 PM
Cybersecurity researchers have detected a new malware campaign. The campaign uses sensitive information stolen from banks to send phishing emails carrying a remote access trojan known as BitRAT.
Hackers send phishing emails using stolen bank details
The threat actor that used this hacking technique gained unauthorized access to the IT infrastructure of a cooperative bank in Columbia. The hacker used the information they accessed from the bank to create fake but convincing messages that lured the victims into opening Excel attachments that carried a suspicious link.
The results of this research also confirm the discovery that the Qualys cybersecurity company made. The company discovered evidence of a database dump that comprised 418,777 records. The database dump is believed to have been done after SQL injection faults were exploited.
Some of the details that the hacker obtained access to following the exploit include Cédula numbers. Cédula is a national identity document that is normally issued to citizens based in Colombia. Besides the Cédula numbers, the hacker could also access phone numbers, email addresses, customer names, salary details, payment records, and physical addresses.
There are no details to confirm that the stolen information was previously shared in a hacker forum on the darknet. This indicates that the threat actors obtained access to the customer data and later used it to conduct phishing campaigns.
The Excel file containing the stolen bank details is embedded within a macro usually used to download the second-stage DLL payload. The file is configured to access and execute the BitRAT malware on the compromised user device.
Akshat Pradhan, a cybersecurity researcher with Qualys, noted that the malware adopts the WinHTTP library to download payloads embedded with BitRAT. These payloads are downloaded from GitHub before being sent to the temp directory.
The GitHub repository was created in November of last year to download the payloads. It is used to host hidden BitRAT loader samples that have been decoded and launched to complete the chain of infection.
BitRAT is classified as an off-the-shelf malware that is available for sale on hacker forums. The malware can be purchased for as low as $20, but it comes with multiple functions, such as stealing data, harvesting user credentials, mining cryptocurrencies, and downloading additional binaries.
According to Pradhan, “commercial off the shelf RATs have been evolving their methodology to spread and infect their victims. They have also increased the usage of legitimate infrastructures to host their payloads, and defenders need to account for it.”
Exploits in the financial space persist
While this exploit targeting banks directly is a major scenario, exploits in the financial industry have been significantly high. Threat actors are constantly looking for malware that can be used to exploit the financial industry while remaining undetected.
In Europe, the financial and insurance industries have been targeted by the Raspberry Robin worm. This malware has evolved significantly, with its capabilities changing with each new exploitation. The malware is also able to operate undetected.
Security Joe released a report detailing the new way threat actors use the malware. The report noted that the malware was unique because it was “heavily obfuscated and highly complex to statically disassemble.”
The hacking exploits targeted organizations in Spain and Portugal. These organizations have a reputation of collecting data from the victim’s machine despite the earlier documentation on the same. Additionally, the malware showed signs of using the sophisticated technology to resist the analysis.
The Raspberry Robin malware is also known as QNAP worm. The malware is being used by threat actors as a way of gaining access to target networks. The malware is spread through infected USB devices and other methods. The threat actors using the malware have also come up with a framework that can be used in attacks targeting the government and the telecommunications industry.
The malware uses a shellcode downloader that has been engineered to secure additional executables. However, the downloader has reported major upgrades that allow it to profile victims to deliver the appropriate payloads. In some cases, the malware can also trick the targeted victims by sending fake malware.
Felipe Duarte, a threat researcher noted that “not only did we discover a version of the malware that is several times more complex, but we also found that C2 beaconing, which used to have a URL with a plaintext username and hostname, now has a robust RC4 encrypted payload.”