Israeli Fintech Companies Targeted by Cardinal RAT Malware

The cybersecurity department of Palo Alto Networks, Unit 42 has published a report on Tuesday revealing that Isreali Fintech companies are being targeted by Malware.

March 21, 2019. | AtoZ Markets – The threat research department has uncovered a Malware that targets Israeli fintech companies that develop software for Forex and Crypto trading firms. According to the report, Unit 42 had in 2017 analyzed and discovered an older version of the Cardinal malware. Cardinal is a Remote Access Trojan (RAT) which enables attackers to take remote control of the victim’s system. Since the 2017 report, the threat detectors have identified a series of attack by the constantly-upgraded malware. Some of the upgrades included modifications which have enabled the RAT’s attacks to be undetectable and difficult to analyze. The report also included that these attacks are focused on Fintech companies that are based in Israel. 

However, since the first discovery, the report added that the attackers have made modifications to the Cardinal RAT malware. One of them was a possible merging of the RAT with a similar malware called EVILNUM. Since the first discovery in 2017, the malware has been upgraded from version 1.4 to 1.7.2. The latest version uses different complicated techniques to hinder analysis. Upon its execution, the new version of this malware collects victim’s data, installs or updates the new version and executes commands from the attackers. The RAT then recovers passwords, download and execute an embedded BMP file, parse out pixel data from the image, updates itself and cleans cookies from the browsers and then uninstalls itself

Cardinal RAT and EVILNUM

The report included that the research team at Unit 42 has discovered a working relationship between Cardinal RAT and EVILNUM. EVILNUM is a Javascript malware used to set up similar attacks against similar organizations. When the team traced the files submitted by the same customers in a similar timeframe to the Cardinal RAT samples, it discovered another malware family which was later identified as EVILNUM in the file. EVILNUM has at least two versions – one written in Javascript and another in .NET. However, the two versions are similar. These versions can both give an attacker the infested host’s data before the former install other utilities on the latter’s machine.

Who are the targets?

Since 2017, the team observed Cardinal attacks on two Israeli-based Fintech companies who write software relating to Forex and cryptocurrency trading. The report concluded that EVILNUM and Cardinal RAT are ‘both used in limited distribution attacks against Fintech companies’.

Please share your thoughts with us in the comment box below.


Share Your Opinion, Write a Comment