A brand new malware marketing campaign has been noticed utilizing delicate data stolen from a financial institution as a lure in phishing emails to drop a distant entry trojan known as BitRAT.
The unknown adversary is believed to have hijacked the IT infrastructure of a Colombian cooperative financial institution, utilizing the data to craft convincing decoy messages to lure victims into opening suspicious Excel attachments.
The invention comes from cybersecurity agency Qualys, which found proof of a database dump comprising 418,777 data that is mentioned to have been obtained by exploiting SQL injection faults.
The leaked particulars embody Cédula numbers (a nationwide identification doc issued to Colombian residents), e mail addresses, cellphone numbers, buyer names, fee data, wage particulars, and addresses, amongst others.
There are not any indicators that the data has been beforehand shared on any boards within the darknet or clear internet, suggesting that the menace actors themselves acquired entry to buyer information to mount the phishing assaults.
The Excel file, which comprises the exfiltrated financial institution information, additionally embeds inside it a macro that is used to obtain a second-stage DLL payload, which is configured to retrieve and execute BitRAT on the compromised host.
“It makes use of the WinHTTP library to obtain BitRAT embedded payloads from GitHub to the %temp% listing,” Qualys researcher Akshat Pradhan mentioned.
Created in mid-November 2022, the GitHub repository is used to host obfuscated BitRAT loader samples which are finally decoded and launched to finish the an infection chains.
BitRAT, an off-the-shelf malware accessible on sale on underground boards for a mere $20, comes with a variety of functionalities to steal information, harvest credentials, mine cryptocurrency, and obtain extra binaries.
“Business off the shelf RATs have been evolving their methodology to unfold and infect their victims,” Pradhan mentioned. “They’ve additionally elevated the utilization of legit infrastructures to host their payloads and defenders must account for it.”
