Cardinal RAT went unnoticed for two years

Remote access Trojan used malicious Excel macros to infect systems

Security researchers have discovered a remote access Trojan that used malicious Excel macros to download and run the malware.

Called Cardinal RAT, the malware was found by researchers at Palo Alto Networks. The Trojan has been lying low with 27 samples collected over a two-year period.

According to a blog post, the malware is delivered via a downloader, dubbed Carp, that uses malicious macros in Microsoft Excel documents to compile embedded C# (C Sharp) Programming Language source code into an executable that in turn is run to deploy the Cardinal RAT malware family. 

Advertisement - Article continues below

The Excel files sport a variety of lures to entice victims into running the malware. The downloader is used to evade detection as it compiles and executes C# source code using Microsoft Windows built-in csc.exe utility.

This download pulls the malware from secure.dropinbox[.]pw using HTTP on port 443 (not HTTPS), and decrypts it using AES-128 and then executes it. While the downloader is not required to download this particular malware, researchers said that it has exclusively done so.

According to Josh Grunzweig, malware researcher with Unit 42, Palo Alto Networks, the majority of these lures are financial-related, describing various fake customer lists for various organisations. "Based on the similarities witnessed in some of these lures, it appears that the attackers use some sort of template, where they simply swap specific cells with the pertinent images or information," he said.

Advertisement - Article continues below

He added the name Cardinal RAT comes from internal names used by the author within the observed Microsoft .NET Framework executables. 

Advertisement - Article continues below

"To date, 27 unique samples of Cardinal RAT have been observed, dating back to December 2015. It is likely that the low volume of samples seen in the wild is partly responsible for the fact that this malware family has remained under the radar for so long," he said.

When the Trojan is initially executed, the malware will check its current working directory. Should it not match the expected path, Cardinal will enter its installation routine. Cardinal RAT will copy itself to a randomly named executable in the specified directory. It will then compile and execute embedded source code that contains watchdog functionality.  

"This watchdog process also ensures that the Cardinal RAT process is always running, as well as ensures that the executable is located in the correct path. Should either of these conditions not be met, the watchdog process will spawn a new instance of Cardinal RAT, or write Cardinal RAT to the correct location, respectively," said Grunzweig. 

The malware then send to a command and control server such information as username, hostname, Windows version, and processor architecture. It can also find passwords, log key strokes and capture screen shots.




What is a Trojan?

14 Aug 2019
cyber security

Report: 16.5 million Britons fell victim to cyber crime in the past year

1 Apr 2020
Amazon Web Services (AWS)

AWS launches Amazon Detective for investigating security incidents

1 Apr 2020

UK government to launch coronavirus 'contact tracking' app

1 Apr 2020

Most Popular


Google releases location data to show effectiveness of coronavirus lockdowns

3 Apr 2020
data management

Oracle cloud courses are free during coronavirus lockdown

31 Mar 2020

These are the companies offering free software during the coronavirus crisis

2 Apr 2020