A brand new malware marketing campaign has been noticed utilizing delicate info stolen from a financial institution as a lure in phishing emails to drop a distant entry trojan referred to as BitRAT.
The unknown adversary is believed to have hijacked the IT infrastructure of a Colombian cooperative financial institution, utilizing the data to craft convincing decoy messages to lure victims into opening suspicious Excel attachments.
The invention comes from cybersecurity agency Qualys, which discovered proof of a database dump comprising 418,777 data that is stated to have been obtained by exploiting SQL injection faults.
The leaked particulars embrace Cédula numbers (a nationwide identification doc issued to Colombian residents), e-mail addresses, cellphone numbers, buyer names, fee data, wage particulars, and addresses, amongst others.
There aren’t any indicators that the data has been beforehand shared on any boards within the darknet or clear internet, suggesting that the menace actors themselves acquired entry to buyer information to mount the phishing assaults.
The Excel file, which comprises the exfiltrated financial institution information, additionally embeds inside it a macro that is used to obtain a second-stage DLL payload, which is configured to retrieve and execute BitRAT on the compromised host.
“It makes use of the WinHTTP library to obtain BitRAT embedded payloads from GitHub to the %temp% listing,” Qualys researcher Akshat Pradhan stated.
Created in mid-November 2022, the GitHub repository is used to host obfuscated BitRAT loader samples which are finally decoded and launched to finish the an infection chains.
BitRAT, an off-the-shelf malware out there on sale on underground boards for a mere $20, comes with a wide selection of functionalities to steal information, harvest credentials, mine cryptocurrency, and obtain further binaries.
“Industrial off the shelf RATs have been evolving their methodology to unfold and infect their victims,” Pradhan stated. “They’ve additionally elevated the utilization of reliable infrastructures to host their payloads and defenders have to account for it.”
