Cardinal RAT went unnoticed for two years

Remote access Trojan used malicious Excel macros to infect systems

Security researchers have discovered a remote access Trojan that used malicious Excel macros to download and run the malware.

Called Cardinal RAT, the malware was found by researchers at Palo Alto Networks. The Trojan has been lying low with 27 samples collected over a two-year period.

According to a blog post, the malware is delivered via a downloader, dubbed Carp, that uses malicious macros in Microsoft Excel documents to compile embedded C# (C Sharp) Programming Language source code into an executable that in turn is run to deploy the Cardinal RAT malware family. 

The Excel files sport a variety of lures to entice victims into running the malware. The downloader is used to evade detection as it compiles and executes C# source code using Microsoft Windows built-in csc.exe utility.

Advertisement - Article continues below
Advertisement - Article continues below

This download pulls the malware from secure.dropinbox[.]pw using HTTP on port 443 (not HTTPS), and decrypts it using AES-128 and then executes it. While the downloader is not required to download this particular malware, researchers said that it has exclusively done so.

According to Josh Grunzweig, malware researcher with Unit 42, Palo Alto Networks, the majority of these lures are financial-related, describing various fake customer lists for various organisations. "Based on the similarities witnessed in some of these lures, it appears that the attackers use some sort of template, where they simply swap specific cells with the pertinent images or information," he said.

He added the name Cardinal RAT comes from internal names used by the author within the observed Microsoft .NET Framework executables. 

"To date, 27 unique samples of Cardinal RAT have been observed, dating back to December 2015. It is likely that the low volume of samples seen in the wild is partly responsible for the fact that this malware family has remained under the radar for so long," he said.

When the Trojan is initially executed, the malware will check its current working directory. Should it not match the expected path, Cardinal will enter its installation routine. Cardinal RAT will copy itself to a randomly named executable in the specified directory. It will then compile and execute embedded source code that contains watchdog functionality.  

"This watchdog process also ensures that the Cardinal RAT process is always running, as well as ensures that the executable is located in the correct path. Should either of these conditions not be met, the watchdog process will spawn a new instance of Cardinal RAT, or write Cardinal RAT to the correct location, respectively," said Grunzweig. 

Advertisement - Article continues below

The malware then send to a command and control server such information as username, hostname, Windows version, and processor architecture. It can also find passwords, log key strokes and capture screen shots.

Featured Resources

Report: The State of Software Security

This annual report explores important trends in software security

Download now

A fast guide to finding your cloud solution

One size doesn't fit all in the cloud, so how do you find the best option for your business?

Download now

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Small & Medium Business Trends Report

Insights from 2,000+ business owners and leaders worldwide

Download now



What is a Trojan?

14 Aug 2019
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular


How to use Chromecast without Wi-Fi

5 Feb 2020

Coronavirus starts to take its toll on the tech industry

6 Feb 2020

The top ten password-cracking techniques used by hackers

10 Feb 2020
Microsoft Windows

Windows 7 bug blocks users from shutting down their PCs

10 Feb 2020