A new malware campaign has been observed that uses sensitive bank information as a lure in phishing emails to fall a remote access trojan known as BitRAT. Hackers deceive people into having to download the BitRAT malware using stolen bank data.
The unknown adversary is thought to have hacked a Colombian cooperative bank’s IT infrastructure and used the information to craft persuasive decoy messages to trick victims into starting suspicious Excel attachments.
The discovery was made by security company Qualys, which discovered evidence of a database dump containing 418,777 records that were acquired by exploiting SQL injection flaws.
Cédula statistics (a national identity ensures that sufficient for Colombian citizens), email accounts, telephone numbers, customer names, payroll data, salary details, and addresses are among the leaked details.
There is no evidence that the information was posted previously on any forums on the darknet or clear web implying that the threat actors gained access to customer data to carry out the phishing attacks.
The Excel file containing the stolen bank data contains a macro that is used to download a 2nd DLL payload that is provisioned to recover and execute BitRAT on the compromised host.
“It downloads BitRAT embedded packets from GitHub to the%temp% directory using the WinHTTP library,” Qualys researcher Early adopters Pradhan explained.
The GitHub repository, which was created in mid-November 2022, is used to host obfuscated BitRAT loader samples, which are eventually decoded and launched to complete the infection chains.
BitRAT is an off-the-shelf malware that can steal data, produce credentials, mine cryptocurrency, and help app binaries. It can be purchased on underground forums for $20.
“Commercial off-the-shelf RATs have evolved their methodology for spreading and infecting their victims,” Pradhan explained. “They have also increased their use of legitimate infrastructure to host their payloads, which defenders must account for.”
