Old Cardinal RAT Malware Resurrects Through Series Of Updates

A type of malware family not seen since 2017 has resurfaced and is targeting FinTech and cryptocurrency companies in Israel, according to a March 19 blog post from cybersecurity watchdog Unit 42.

The previous version of the malware family, dubbed Cardinal RAT, employed the Carp Downloader, which uses “malicious macros in Microsoft Excel documents to compile embedded C# (C Sharp) Programming Language source code into an executable that in turn is run to deploy the Cardinal RAT malware.”

According to Unit 42, the new version of the Cardinal RAT malware comes with updates and modifications that “evade detection and hinder analysis.” This version of Cardinal RAT uses a variety of obfuscation techniques, including hiding malicious code in in a bitmap file. Once the victim opens the file, the malware is decrypted and begins to infect the victim’s computer.

Unit 42 confirmed the updated version of Cardinal RAT infects the victim’s computer by collecting victim information, updating settings, acting as a reverse proxy, executing a command, uninstalling itself, recovering passwords, downloading and executing new files, keylogging, capturing screenshots, and cleaning cookies from browsers.

According to The Next Web, in addition to nine reports from Israel of Cardinal RAT Malware attacks, there have been two in the US and one in both Japan and Austria. To protect one’s personal data from malware attacks, Unit 42 suggests that individuals and companies beef up their spam filters and parental controls to “restrict use of scripting languages by malware” and not open or even allow “inbound e-mails with LNK file as attachments [or] … e-mails from external sources where the documents contain macros.”

Although the Cardinal RAT malware was silent for two years, there have been quite a few malware attacks targeting the personal data of people and companies. Just last month, cybersecurity firm ESET announced it discovered malware created to steal crypto wallet addresses and personal keys infecting the Google Play store.