HQ/EMEAFind out how we can help your business
Researchers have recently uncovered a new malware campaign involving threat actors using stolen bank data in phishing emails to lure victims. Subsequently, the hackers will drop the BitRAT remote access trojan into the victims’ machines.
In this report, the hackers allegedly exfiltrated sensitive data from the IT systems of a cooperative bank in Colombia. Then, they designed a convincing email message using the stolen bank data that could effectively trick their targets into opening the attachments containing the malicious RAT.
The stolen bank data came from a dumped database containing over 400,000 records.
Based on an assessment, the discovery of the new malware campaign originated from a dumped database believed to have been obtained from an SQL injection flaw exploitation. This database contained about 418,777 records owned by Colombian citizens.
Researchers analysed the compromised database and found that it includes Colombians’ cedula numbers, email addresses, contact details, full names, residential addresses, payment records, and salary details, among others.
It has also been revealed that the original threat actors in the new malware campaign were the ones who had stolen the Colombian banks’ sensitive data since researchers did not find the database on any dark web forums or underground marketplaces. Once the data were acquired, the unknown malicious operators used it as a lure for a follow-up phishing operation.
Upon opening the attached Excel file on the phishing message, the victims will find the stolen bank data and unknowingly activate a macro in the background that will download a second-stage DLL payload configured to execute the BitRAT malware.
Researchers added that the campaign involves the threat actors using the WinHTTP library to download the BitRAT payload to the %temp% directory, which was initially embedded in a GitHub repository. This GitHub repository hosts BitRAT loader samples decoded and launched for infection campaigns.
Ever since the BitRAT malware became available on underground forums, it became popular among threat actors as it offers a wide range of infection capabilities for a cheap price of $20. Some of the most common BitRAT malware features include data and credentials theft, cryptocurrency mining, and downloading additional binaries.
The use of the RAT among threat actors has been prevalent over time; thus, its developers had to enhance its capabilities and infection mechanisms.
