Cardinal RAT: The Remote Access Trojan that targets FinTech companies

• Cardinal RAT primarily targets the financial technology (FinTech) sector in Israel.
• Its capabilities include stealing system information and victim data, stealing credentials, keylogging, executing commands, cleaning cookies from browsers, downloading and executing additional payloads, capturing screenshots, updating and uninstalling itself.

Cardinal RAT is a remote access trojan (RAT) which was first spotted in 2015. Cardinal RAT collects and sends victim information to its C&C server including username, hostname, campaign Identifier, Microsoft Windows version, victim unique identifier, processor architecture, and malware version.

What are its capabilities?

Its capabilities include:

• Stealing system information and victim data
• Stealing credentials
• Keylogging
• Executing command
• Cleaning cookies from browsers
• Downloading and executing additional payloads
• Capturing screenshots
• Updating and uninstalling itself

Who are its targets?

Cardinal RAT primarily targets the financial technology (FinTech) sector in Israel. It also targets victims involved in forex or cryptocurrency trading.

How is it delivered?

Cardinal RAT is delivered via a downloader dubbed Carp that uses malicious macros in Microsoft Excel documents. The malicious Excel documents use different tactics to lure victims into executing the RAT.

Association with EVILNUM malware

Cardinal RAT shares a relationship with the EVILNUM malware family.

• Both the malware are used in attacks against FinTech companies.
• Both the malware have been distributed using malicious documents containing lists of names/numbers of individuals involved in trading forex/cryptocurrency.
• However, delivery methods and infrastructure of both the malware are distinct.

An updated variant

In March 2019, an updated variant of Cardinal RAT was spotted targeting Fintech companies in Israel. This new variant of Cardinal RAT employs various obfuscation techniques to hinder analysis of the underlying code which includes,

• Steganography
• Bitmap (BMP) file technique
• Its functions, methods, and variables have been renamed to MD5 hashes