[BreachExchange] This updated trojan malware campaign targets fintech and cryptocurrency trading companies

Destry Winant destry at riskbasedsecurity.com
Mon Mar 25 02:25:01 EDT 2019


A trojan malware campaign is attempting to compromise financial
technology and cryptocurrency trading companies in an effort to
harvest credentials, passwords and other confidential information.

The cyberattacks leveraging an updated version of the Cardinal RAT
malware have been spotted and detailed by Unit 42, the research
division of security company Palo Alto Networks.

Cardinal RAT remained under the radar for two years before being
uncovered in 2017 – but having that cover blown hasn't stopped cyber
criminals from deploying the malware in an effort to stealthily
infiltrate the networks of high-value targets using Windows systems.

The previous version of Cardinal used phishing emails and malicious
document lures to compromise targets and this latest variant appears
to use similar tactics.

Information within the payload identifies the malware has version
1.7.2 – the 2017 incarnation was version 1.4, suggesting its malicious
authors have been busy providing updates in the time since.

That includes the introduction of new obfuscation techniques to hide
the underlying code, with the first layer of this coming from
deploying steganography to hide the sample which is initially compiled
in .NET and embedded in a .BMP image file.

In addition to the obfuscation, the malware itself has seen some minor
tweaks in how it's configured: but the core goal of Cardinal remains
the same – infiltrate the target PC and carry out malicious activity.

The malware can collect usernames and passwords, capture screenshots
and perform keylogging – all enabling the attacker to get their hands
on the sort of information that can help them gain access to sensitive

Cardinal can also download and execute new files, update itself and
update settings of the machine. It can also uninstall itself and clear
cookies from browsers in an effort to keep it's activity hidden when
the deed is done.

This campaign appears to be specifically focused on fintech
organisations in Israel, specifically those who write software
relating to forex and cryptocurrency trading.

There's currently no evidence to suggest that the attacks have been
successful, but it's likely that cyber criminals view financial
technology firms as a lucrative target – if they can break into the
network and reap the rewards. So the attackers are likely to keep

"At its simplest, this is where the attackers felt they could get the
most return on their investment of time and money resources," Jen
Miller Osborn, deputy director of threat intelligence for Unit 42 at
Palo Alto Networks told ZDNet.

"This indicates another aspect of thoughtfulness and sophistication on
the part of the attackers. Rather than carry out a broad style attack,
they've been very focused in their attacks. This in turn makes
discovery less likely," she added.

While the exact details of the attacker remain unknown, researchers
examining Cardinal RAT noticed one of the malware's targets had also
been targeted by attackers using another form of malware known as

It's possible that Evilnum is being used as a loader for Cardinal –
and potentially other malicious tools – and therefore developed by the
same attack group. However, researchers also note that it could also
be a case of two different attack groups attempting to compromise the
same fintech organisations that they both see as a lucrative target.

The two forms of malware remain active, but a few basic procedures
should stop organisations from falling victim.

"Running up-to-date security that can block malicious attachments and
sites, encouraging users to only open attachments that they trust from
parties that they trust and staying up to date on security updates can
all help protect," said Miller Osborn.

Unit 42 have detailed the Indicators of Compromise for Cardinal RAT
and Evilnum in their analysis of the malware.

More information about the BreachExchange mailing list