Cardinal RAT is a remote access trojan (RAT) which was first spotted in 2015. Cardinal RAT collects and sends victim information to its C&C server including username, hostname, campaign Identifier, Microsoft Windows version, victim unique identifier, processor architecture, and malware version.
What are its capabilities?
Its capabilities include:
Who are its targets?
Cardinal RAT primarily targets the financial technology (FinTech) sector in Israel. It also targets victims involved in forex or cryptocurrency trading.
How is it delivered?
Cardinal RAT is delivered via a downloader dubbed Carp that uses malicious macros in Microsoft Excel documents. The malicious Excel documents use different tactics to lure victims into executing the RAT.
Association with EVILNUM malware
Cardinal RAT shares a relationship with the EVILNUM malware family.
An updated variant
In March 2019, an updated variant of Cardinal RAT was spotted targeting Fintech companies in Israel. This new variant of Cardinal RAT employs various obfuscation techniques to hinder analysis of the underlying code which includes,