The IT researchers at Palo Alto Networks’ Unit 42 have discovered a that has been targeting cyberspace especially those dealing with technology and financial sector.

Dubbed Cardinal (remote access Trojan) by researchers; the malware is currently targeting two Israeli fintech companies developing forex and cryptocurrency trading related . The malware has been around since April 2017 and lets hackers take remote control of the targeted system.

See: New FlawedAmmyy RAT steals data and intercepts audio chat

According to a blog post by Palo Alto Networks, the malware went undetected for the last two years and conducted low-volume attacks until now when researchers identified its updated version using “Carp Downloader” to drop its payload through macros obfuscated in Microsoft documents.

The malware using phishing emails to target its victims especially those individuals involved in trading forex or cryptocurrency sector.

Upon infecting the targeted device; the malware updates itself, collect user , recover passwords, enable keylogging, take screenshots, download new files, acts as a reverse proxy, execute commands, uninstall itself before cleaning cookies from browsers. 

Israeli fintech firms hit by Cardinal RAT malware  - israeli fintech firms hit by cardinal rat malware 2 1024x577 - Israeli fintech firms hit by Cardinal RAT malware

Obfuscation present in Cardinal RAT payload (Image credit: Palo Alto Networks)

Unit 42 researchers also uncovered a link between Cardinal RAT and EVILNUM, a JavaScript-based persistent malware used in similar attacks. This happened after one of the targeted fintech shared a malware sample with Palo Alto Networks in a similar timeframe during which it was by Cardinal.

Some of EVILNUM’s capabilities include setting up persistence, running arbitrary commands, downloading of additional files and taking screenshots.

Even if the two families are not linked, they both have similar targeting interests, and so FinTech organizations should ensure they are protected against the malware used. Whilst we haven’t been able to gain an insight into what the attackers do once successfully on a target network, it’s likely (based on the targets) they use their access to facilitate financial gain, said Tom Lancaster and Josh Grunzweig from Palo Alto Networks.

See: Top 10 Best Antivirus software for 2019

Furthermore, researchers advice that companies should keep their spam filtering on, update their machines to the latest versions, make policy and do not allow inbound e-mails with LNK file as attachments or inbound e-mails with attached ZIP files containing a single LNK file inside them.

Did you enjoy reading this article? Like our page on Facebook and follow us on Twitter.

Source link
Based Blockchain Network


Please enter your comment!
Please enter your name here