According to the Israeli news agency a Trojan-style malware is attacking Israeli FinTech and cryptocurrency trading firms in an attempt to get revenge. This Cardinal RAT malware was also spotted several years ago in 2017 and went mostly invisible for almost two years. It seems that the virus has returned and is going after the cryptocurrency trading firms again.
What the virus did before, was to enter into the computer using a downloader called Carp and uses Microsoft Excel’s documents to compile the source code into a program which then deploys the malware into the system.
But, the updated version of the malware has reappeared which is evading “detection and hinder analysis”, according to the investigators from Palo Alto Networks’ Unit 42, an American multinational cybersecurity company.
The latest version of the Cardinal RAT virus applies a number of techniques to go through the analysing systems hidden and making it more difficult to find it. One of the techniques include steganography, it refers to a class of programming approach that are used to obscure messages, files, and other important data.
The virus is loaded into the victim’s computer through the data embedded into a Bitmap (BMP) image file during installation. It looks inoffensive from the surface but when the image is opened, the embedded code decodes itself and initiates the attack.
The malware takes your passwords, usernames, and other sensitive data which then it sends back to the malware operators giving them the power to steal your cryptocurrency. According to the report from Unit 42, the malware operators perform the following actions:-
- Collect Victim Information
- Update Settings
- Act As a Reverse Proxy
- Execute Command
- Uninstall It
- Recover Passwords
- Download And Execute New Files
- Capture Screenshots
- Update Cardinal RAT
- Clean Cookies From Browsers
Two Cardinal RAT attacks have been observed since 2017 and according to Unit 42 both times the victims were FinTech companies based in Israel. A total of 13 reports have been received until now, which contain nine from Israel, two from the United States and one each from Austria and Japan.