Heimdal
article featured image

Contents:

Threat actors use data stolen from Columbian bank customers as lures in email phishing attacks. Cyber researchers warn that the campaign aims infecting endpoints with BitRAT remote access trojan.

On the bright side, according to researchers, none of the sensitive data exfiltrated from the bank seems to have been spilled on the dark web or clear web.

While investigating the BitRAT lures, cyber researchers discovered that servers of an undisclosed Colombian bank were hijacked and 418,777 files were stolen. The breach resulted in extremely sensitive customer data, like ID numbers, addresses, payment records, and salary information being available to threat actors involved in the attack.

The above-mentioned data are now used for making phishing emails that aim to deploy BitRAT malware look more credible.

Moreover, the lures themselves contain sensitive data from the bank to make them appear legitimate. This means that the attacker has gotten access to customers’ data.

Source

The Attack`s Structure Explained

When the malicious email completes its mission, an Excel file drops and executes a .inf file into the victims’ machines. Next, the BitRAT payload is from a GitHub repository through the WinHTTP library. Once the computer is infected, threat actors use the WinExec function for execution.

The RAT malware relocates its loader to the Windows startup folder during the last phase of the attack to obtain persistence and restart automatically when the system reboots.

Source

More About BitRAT and Why It Became So Largely Used

BitRAT is a relatively new name in the malware market, with a historic that barely reaches two years’ time.

On the dark web markets and cybercrime forums, BitRAT is sold for only $20 and offers lifetime access. The cost is pretty low for the versatility and opportunities the „product” offers.

Once they get the license for it, threat actors are free to use BitRAT however they like. Cyber researchers noticed it being largely present on social media, with various purposes like recording video and audio, stealing data, DDoS attacks, and cryptocurrency mining.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.

Author Profile

Livia Gyongyoși

Communications and PR Officer

Livia Gyongyoși is a Communications and PR Officer within Heimdal®, passionate about cybersecurity. Always interested in being up to date with the latest news regarding this domain, Livia's goal is to keep others informed about best practices and solutions that help avoid cyberattacks.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE