iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Researchers at Qualys have uncovered a new technique employed by users of the well-established Trojan BitRAT.
The trick uses real bank customer details as a lure. The unidentified cyber criminals appear to have co-opted a Colombian banking cooperative’s infrastructure, gaining access to a wide range of customer data, including Colombian national IDs, addresses, and transaction records.
Qualys has not found any of the breached information on dark web repositories and has disclosed the breach to its over 400,000 victims.
BitRAT is a popular remote access Trojan and has been available to buy — for just US$20 — since February 2021 from a range of criminal forums and websites.
The banking data is stored in a malicious Excel document, which when downloaded, delivers a highly segmented .inf file as its payload. This is then rebuilt and written to a machine’s %temp% folder by a macro in the Excel file.
This .inf file in turn runs a second stage .dll payload, which executes and then deletes the files in %temp%.
The .dll then downloads the final BitRAT payload from a GitHub repository — which was itself created by a throwaway account in November of last year — to the %temp% directory.
The repository contains four different loader files, each of which features real resources from two hijacked companies for added authenticity alongside a BitRAT sample.
WinExec then runs the new payload, after which the sample moves the loader to the startup folder, so that the Trojan runs every time a user boots their machine.
The BitRAT Trojan is popular because of its versatility. It can run tasks, mine crypto, steal credentials, exfiltrate data, perform DDoS attacks, and record from webcams and microphones.
“Commercial off the shelf RATs have been evolving their methodology to spread and infect their victims,” said Akshat Pradhan, senior engineer, threat research at Qualys in a blog post. “They have also increased the usage of legitimate infrastructures to host their payloads and defenders need to account for it.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
