A malware campaign is currently targeting financial technology companies in Israel, according to SC Media. At the forefront of this attack is an upgraded version of the Cardinal remote access trojan (RAT), which is considered as rare due to its low-profile operations. This trojan is known for getting private data, changing settings, deploying commands, getting passwords and keylogging.
Palo Alto Networks’ team, Unit 42 found this malware back in 2017 attaching itself to Carp, a downloader software that users Microsoft Excel macros. During the time of its discovery, the RAT has been running for two-years, albeit covering smaller campaigns.
The latest version of this trojan, 1.7.2, allows it for evade discovery, making it much harder to detect and address.
Cardinal and EVILNUM
Experts from Unit 42 announced that another malware EVILNUM may also be involved in the recent RAT attacks. The EVILNUM version is also upgraded, allowing it to take screenshots and steal cookies in addition to its data gathering functions prior to the upgrade.
The originators of both campaigns seem to be using the same tactics such as lure documents containing names of entities participating in cryptocurrencies and foreign exchange trades.
Despite having similarities, Unit 42 researchers are open to the fact that these campaigns are not linked. However, they are aiming at similar demographics, endangering fintech companies.
Meanwhile, experts say that companies can employ measures to protect themselves from Cardinal RAT and EVILNUM attacks. Spam filters and updated Windows hosts will be much more secure, according to Threat Post. Organizations are advised to be wary of emails with attached an LNK file or an LNK file within compressed files.
Researchers are still not sure what the attackers do with a successful attack, but they speculate that financial rewards are the main goals of both campaigns.