Updated Cardinal RAT malware targets Israeli fintech and crypto firms

Getting your Trinity Audio player ready...

A type of malware that aims to take control of a victim’s computer has resurfaced. According to a report by Unit42, the malware is now upgraded and targets Israeli crypto and fintech firms. It’s known as Cardinal Random Access Trojan (RAT) and it has resurfaced two years after Unit42 discovered it in 2017.

“A series of modifications have been made to the RAT, many of which are used to evade detection and hinder analysis,” the report by Unit42 stated. Unit42 is the cybersecurity arm of Santa Clara, California-based tech firm, Palo Alto Networks.

“Unlike previously discussed samples, this latest instance of Cardinal RAT employs various obfuscation techniques to hinder analysis of the underlying code,” the report continued.

The upgraded version of the Cardinal RAT malware runs in the background, making it difficult to weed out. It collects victim information, acts as a reserve proxy and updates a victim’s settings. It can also recover passwords, capture screenshots and clean cookies from browsers.

And this time, Cardinal RAT has brought its evil twin, EVILNUM. For most victims of Cardinal RAT, Unit42 also noted that EVILNUM was present. This led the team to believe that the two were working hand in hand, making the attack deadlier than it was in 2017.

EVILNUM is considered a first-stage malware – malware that’s used to give the attacker data about the victims before they install other utilities which the attacker exploits. EVILNUM is able to take screenshots, set up persistence and download additional files.

The two malware programs have been targeting fintech firms that develop software for forex and crypto trading purposes in Israel. They both target the same victim in a very short span of time. Unit42 suspects that the two malware programs are being used by the same group of attackers.

So far, no firm has reported any losses related to the two programs, either in the forex or crypto trading industries. However, Unit24 has advised fintech firms to be vigilant. They said:

“Organizations with effective spam filtering, proper system administration, and up-to-date Windows hosts have a much lower risk of infection.”