Description
A recent malware campaign saw threat actors using stolen data to lure victims with phishing emails and infect them with the BitRAT malware.
Summary
The threat actors behind this attack have been targeting victims in Colombia after they would have managed to hijack sensitive banking information from an undisclosed Colombian cooperative bank. The stolen information was used as lure in phishing emails to make them appear as legitimate as possible. A total of 418,777 records containing sensitive customer data, which includes names, phone numbers, email addresses, local addresses, Colombian national IDs, payment records, and salary information, were stolen from the banks servers, as uncovered by the cloud security firm Qualys. Qualys discovered evidence that the threat actors accessed the servers data using the sqlmap tool, where they were scouting for potential SQL injection bugs. They stated that the stolen information has not been found on the dark web or any websites monitored by them.
The phishing emails contain a malicious excel attachment that is used to deliver the malware. The excel file contains an obfuscated macro that drops a .inf payload that is executed. The payload is segmented into hundreds of arrays and performs a de-obfuscation procedure to rebuild the payload. The rebuilt payload is then written to the temp folder by the macro and executed using advpack.dll. The payload contains a second stage dll payload that is then decoded by the certutil process and then executed by the rundll32 process. This second stage dll utilizes various anti-debugging techniques to download the final BitRAT payload. The BitRAT payload is downloaded from GitHub repositories using the WinHTTP library and written in the temp directory where it is executed by the WinExec process.In the last stage of this attack, the malware is moved to the Windows startup folder to achieve persistence and restart after system reboots.
The BitRAT malware is a remote access trojan (RAT) that is available for purchase on dark web markets and was seen since in April of 2020. It is notorious for its social media presence and many functionalities such as data exfiltration, keylogging, video and audio recording, crypto mining, DDoS attacks and delivering additional payloads.
Remediation
To protect yourself from RAT malware, we recommend the following:
Be wary of suspicious emails and any attachments embedded. In the case of threat actors using legitimate information in their emails, be sure to read through the email thoroughly. If the senders email shows a business entity, contact the business to confirm the email. If the senders email is unknown, disregard the email.
Only download apps and software from trusted sources.
Be wary when browsing the internet and do not click on suspicious links and pop ups.
Ensure that you have an updated anti-virus solution and operating system.
Perform regular backups of data.
If you are infected by a RAT, we recommend the following:
Upon discovery of infection, immediately disconnected the infected device from the network in order to prevent any malicious activities from occurring.
Launch the device in safe mode and have a reputable anti-virus installed.
Perform a full scan on the device and remove any threats detected.
The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.
PDF Download: BitRAT campaign uses stolen data for phishing attacks.pdf
References
Gatlan, S. (2023, January 3). BitRAT malware campaign uses stolen bank data for phishing. Retrieved from the BleepingComputer. https://www.bleepingcomputer.com/news/security/bitrat-malware-campaign-uses-stolen-bank-data-for-phishing/
Pradhan, A. (2023, January 3). BitRAT Now Sharing Sensitive Bank Data as a Lure. Retrieved from Qualys blog. https://blog.qualys.com/vulnerabilities-threat-research/2023/01/03/bitrat-now-sharing-sensitive-bank-data-as-a-lure