Cardinal RAT went unnoticed for two years

Remote access Trojan used malicious Excel macros to infect systems

Security researchers have discovered a remote access Trojan that used malicious Excel macros to download and run the malware.

Called Cardinal RAT, the malware was found by researchers at Palo Alto Networks. The Trojan has been lying low with 27 samples collected over a two-year period.

According to a blog post, the malware is delivered via a downloader, dubbed Carp, that uses malicious macros in Microsoft Excel documents to compile embedded C# (C Sharp) Programming Language source code into an executable that in turn is run to deploy the Cardinal RAT malware family. 

The Excel files sport a variety of lures to entice victims into running the malware. The downloader is used to evade detection as it compiles and executes C# source code using Microsoft Windows built-in csc.exe utility.

This download pulls the malware from secure.dropinbox[.]pw using HTTP on port 443 (not HTTPS), and decrypts it using AES-128 and then executes it. While the downloader is not required to download this particular malware, researchers said that it has exclusively done so.

According to Josh Grunzweig, malware researcher with Unit 42, Palo Alto Networks, the majority of these lures are financial-related, describing various fake customer lists for various organisations. "Based on the similarities witnessed in some of these lures, it appears that the attackers use some sort of template, where they simply swap specific cells with the pertinent images or information," he said.

He added the name Cardinal RAT comes from internal names used by the author within the observed Microsoft .NET Framework executables. 

"To date, 27 unique samples of Cardinal RAT have been observed, dating back to December 2015. It is likely that the low volume of samples seen in the wild is partly responsible for the fact that this malware family has remained under the radar for so long," he said.

When the Trojan is initially executed, the malware will check its current working directory. Should it not match the expected path, Cardinal will enter its installation routine. Cardinal RAT will copy itself to a randomly named executable in the specified directory. It will then compile and execute embedded source code that contains watchdog functionality.  

"This watchdog process also ensures that the Cardinal RAT process is always running, as well as ensures that the executable is located in the correct path. Should either of these conditions not be met, the watchdog process will spawn a new instance of Cardinal RAT, or write Cardinal RAT to the correct location, respectively," said Grunzweig. 

The malware then send to a command and control server such information as username, hostname, Windows version, and processor architecture. It can also find passwords, log key strokes and capture screen shots.

Featured Resources

Key considerations for implementing secure telework at scale

Identifying the security risks and advanced requirements of a remote workforce

Download now

The State of Salesforce 2020

Your guide to getting the most from Salesforce

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Rethink your cybersecurity strategy for the new world

5 steps to secure the enterprise and be fit for a flexible future

Download now

Recommended

What is a Trojan?
Security

What is a Trojan?

15 Jun 2020
Andrew Daniels joins Druva as CIO and CISO
Cloud

Andrew Daniels joins Druva as CIO and CISO

22 Jul 2020
University of California gets fleeced by hackers for $1.14 million
ransomware

University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
Australia announces $1.35 billion investment in cyber security
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

3 Aug 2020
How to use Chromecast without Wi-Fi
Mobile

How to use Chromecast without Wi-Fi

4 Aug 2020
How do I fix the Windows 10 Start Menu if it's frozen?
operating systems

How do I fix the Windows 10 Start Menu if it's frozen?

3 Aug 2020