A comprehensive malware called “CardinalRAT” has been used to target two Israeli Fintech companies, “who write software relating to forex and cryptocurrency trading,” cybersecurity firm Palo Alto Network writes.
Attackers appear to be motivated by financial gain.
Once installed, CardinalRAT malware allows attackers to:
- Collect victim information
- Update settings
- Act as a reverse proxy
- Execute command
- Uninstall itself
- Recover passwords
- Download and Execute new files
- Keylogging (surreptitious capture of keyboard strokes so as to collect passwords, etc.)
- Capture screenshots
- Update Cardinal RAT
- Clean cookies from browsers
Research at Palo Alto’s Unit 42 division also shows that CardinalRAT may have, “a possible relationship…(with) another malware family named EVILNUM. EVILNUM is a JavaScript-based malware family that is used in attacks against similar organizations.”
Palo Alto writes that CardinalRAT malware, “…remained undetected for over two years,” in part thanks to, “…a series of modifications have been made to the RAT, many of which are used to evade detection and hinder analysis.”
Once they detected an apparent CardinalRAT precursor, Unit 42, “…continued to monitor this threat, resulting in the discovery of a series of attacks using an updated version of Cardinal RAT.”
The software has reportedly been strategically deployed to individuals working at Fintechs creating forex and crypto trading software:
“The lure documents used consistently related to lists of names/numbers of individuals involved in trading forex/crypto currency, a niche theme to use if targeting individuals outside of this sector.”
Fintechs are advised to carefully observe standard anti-malware precautions:
“Organizations with effective spam filtering, proper system administration, and up-to-date Windows hosts have a much lower risk of infection. Generic defenses against these threats include:
- Do not allow inbound e-mails with LNK file as attachments, or, do not allow inbound e-mails with attached ZIP files containing a single LNK file inside them.
- Do not allow inbound e-mails from external sources where the documents contain macros, or, if you do, ensure a proper policy is configured.
- Enforce parent-child process policies to restrict the use of scripting languages by malware.”
Palo Alto customers can also receive additional protection from the company by subscribing.