In the past, Unit 42, the security research team at Palo Alto Networks, reported on the small-volume malware family Cardinal RAT. Since then, the malware researchers have actively monitored this threat, leading to the discovery of a series of attacks with an updated version of Cardinal RAT. Cybercriminals have made a number of changes to this remote access Trojan (RAT) to avoid detection.
Is someone directly against fintech?
The network communication and the functions available to the remote operator remained the same:
Gather information about the victim of the attack
- Update Settings
- Reverse proxy feature
- Execution of commands
- Autonomous deinstallation
- Restore passwords
- Download and run new files
- Recording screenshots
- Implementation of updates
- Removal of cookies from browsers
Cardinal RAT and EVILNUM were both used in targeted distribution attacks against FinTech companies. In one case, both families of malware were observed at the same destination in a short time, while Dropper shared similarly titled bait documents for both families. Even if the two families are not connected, the respective actors pursue similar interests.
FinTech companies should make sure that they are protected from the malware used. Companies with good spam filtering, proper system administration, and updated Windows environments will be at a much lower risk of infection.
Generic defenses against these risks include:
Do not allow inbound emails with LNK file attached or ZIP files that contain a single LNK file.
Do not allow inbound emails from external sources that contain documents with macros, or make sure the correct policy is configured.
Restricting the use of scripting languages.