In the past, Unit 42, the security research team at Palo Alto Networks, reported on the small-volume malware family Cardinal RAT. Since then, the malware researchers have actively monitored this threat, leading to the discovery of a series of attacks with an updated version of Cardinal RAT. Cybercriminals have made a number of changes to this remote access Trojan (RAT) to avoid detection.
Is someone directly against fintech?
The currently observed attacks were directed against the financial technology sector (FinTech). While exploring these attacks, Palo Alto Networks has discovered a possible relationship between Cardinal RAT and another malware family called EVILNUM. EVILNUM is a JavaScript-based malware family used in attacks against similar companies. Since the original discovery of Cardinal RAT, the attackers have made some minor attacks. The updates are limited to obfuscation techniques and there have been some changes to the malware itself.
The network communication and the functions available to the remote operator remained the same:
Gather information about the victim of the attack
- Update Settings
- Reverse proxy feature
- Execution of commands
- Autonomous deinstallation
- Restore passwords
- Download and run new files
- Keylogging
- Recording screenshots
- Implementation of updates
- Removal of cookies from browsers
Cardinal RAT and EVILNUM were both used in targeted distribution attacks against FinTech companies. In one case, both families of malware were observed at the same destination in a short time, while Dropper shared similarly titled bait documents for both families. Even if the two families are not connected, the respective actors pursue similar interests.
FinTech companies should make sure that they are protected from the malware used. Companies with good spam filtering, proper system administration, and updated Windows environments will be at a much lower risk of infection.
Generic defenses against these risks include:
Do not allow inbound emails with LNK file attached or ZIP files that contain a single LNK file.
Do not allow inbound emails from external sources that contain documents with macros, or make sure the correct policy is configured.
Restricting the use of scripting languages.