Attackers Use Stolen Bank Details to Spread BitRAT

From spray and pray to sniping

• An unknown adversary had hijacked the network of a Colombian cooperative bank to steal customer data.
• The adversary crafted convincing decoy messages using the stolen information to lure victims into opening suspicious Excel attachments.
• Additionally, these Excel maldocs embedded a highly obfuscated macro within them, which is used to download a second-stage DLL payload.
• The DLL payload uses various anti-debugging techniques to retrieve embedded payloads from GitHub and execute BitRAT on the compromised host.

Scenario in the hindsight

• The attackers created a GitHub repository in mid-November and a throwaway account to host multiple payloads.
• The repository contains the BitRAT sample embedded into BitRAT loader samples and hijacked resources from two different companies to appear legitimate.
• The loaders decode the binary and reflectively load them. BitRAT sample executes and relocates the loader to the user's startup for persistence.

More info

• Experts identified logs that point to the usage of the sqlmap tool to find potential SQL injection faults and actual database dumps.
• The database dump comprises 418,777 records with customers’ details such as Cedula numbers (Colombian national ID), email addresses, phone numbers, customer names, payment records, salary, and address.

Conclusion