A new variant of Cardinal RAT employs BMP trick to target Israeli financial firms

• The original Cardinal RAT has been modified to evade detection and hinder analysis.
• Researchers suggest Cardinal RAT shares a relationship with another malware family named EVILNUM.

Cardinal RAT, which was silent for the past two years, is back in a new form. The new variant of the malware is being used in a series of attacks against Israel-based financial technology firms.

What is the matter - In an extensive report, researchers from Palo Alto Networks’ Unit 42 revealed that attackers are using an updated version of Cardinal RAT to target financial technology (FinTech) sector, primarily based in Israel. The original malware has been modified to evade detection and hindering analysis.

During the analysis, researchers found that Cardinal RAT shared a relationship with another malware family named EVILNUM. EVILNUM is a JavaScript-based malware family that is used in attacks against similar organizations.

“When looking at files submitted by the same customer in a similar time frame to the Cardinal RAT samples, we saw that the customer had also submitted a malware family we’d been tracking as EVILNUM. From our viewpoint, this is another family that seems to be used solely in attacks against finance-related organizations,” said the researchers.

What are the capabilities of Cardinal RAT - Palo Alto Unit 42 researchers have identified the latest sample of Cardinal RAT as version 1.7.2. Unlike the previous samples, the new variant of Cardinal RAT employs various obfuscation techniques to hinder analysis of the underlying code.

“The first layer of obfuscation comes in the form of steganography; the initial sample is compiled with .NET and contains an embedded bitmap (BMP) file. Upon execution, the malware will read this file, parse out pixel data from the image, and decrypt the result using a single-byte XOR key,” the researchers explained.

The capabilities of the new variant of Cardinal RAT includes:

• Collecting victims’ information
• Updating settings
• Acting as a reverse proxy
• Executing malicious commands
• Uninstalling itself
• Recovering passwords
• Keylogging
• Capturing screenshots
• Cleaning cookies from browsers

The bottom line - Researchers believe that both Cardinal RAT and EVILNUM are both used in limited distribution against FinTech companies. Companies can protect themselves against the dual threat of these two malware by looking out for emails with LNK file attachments or ZIP file attachments.