According to Qualys, cloud security company Qualys claims that threat actors responsible for a malware campaign used stolen bank customer information in Colombia to lure victims with phishing emails.
While investigating BitRAT lures and active phishing attacks, the company discovered that an infrastructure bank in Colombia had been taken over by criminals.
The breached servers contained 418,777 records that included sensitive customer information such as names, telephone numbers, emails, addresses, Colombian national IDs and payment records.
Qualys discovered additional evidence during their investigation of the attack, such as logs showing they searched for SQL injection bugs with the sqlmap utility.
To make the lures appear legit, they contain sensitive bank data. “This means the attacker has gained access to customers’ data,” Qualys .
We found logs that pointed to SQLi faults and actual dumps while digging into the infrastructure.
Qualys has not yet found any of the stolen information from the Colombian banks’ servers on the darkweb or clearweb.
Malicious Excel files are used to deliver the malware to victims’ computer systems. The Excel file drops an INF file embedded in a complex macro that is bundled with it.
Next, the BitRAT final payload can be downloaded from GitHub using WinHTTP on the compromised device. It is executed with WinExec.
The RAT malware then moves its loader into the Windows startup folder. This allows it to maintain persistence, and to automatically reboot after system restarts.
was sold on cybercrime forums and dark-web markets as malware for $20 per year.
Each “customer”, after purchasing a license, uses infecting victims with the malware such as phishing and watering holes.
BitRAT is versatile and can be used to record video and audio and DDoS attacks and cryptocurrency mining. It also delivers additional payloads.
“Commercial off-the-shelf. “Commercial off the shelf.” Akshat Pradhan, Qualys senior engineer in threat research said that RATs are constantly improving their methods to spread disease and infect victims.
They have increased their use of legal infrastructures to host payloads, and it is important that defenders account for this.”