Threat actors behind a recent malware campaign used stolen banking customer information in Colombia as decoys in phishing emails designed to infect targets with the Internet Access Trojan. BitRAT remote, according to cloud security firm Qualys.
The company discovered that the infrastructure of an undisclosed Colombian cooperative bank had been hijacked by attackers while investigating BitRAT decoys in active phishing attacks.
A total of 418,777 records containing sensitive customer data, including names, phone numbers, email addresses, addresses, Colombian national ID cards, payment records and salary information , were stolen from the hacked servers.
Investigating the campaign, Qualys also uncovered evidence the attackers had accessed customer data, including logs showing they were looking for SQL injection bugs using the sqlmap tool.
“Additionally, the decoys themselves contain sensitive bank data to make it appear legitimate. This means the attacker gained access to customer data,” Qualys says. said.
“Digging deeper into the infrastructure, we identified logs that point to the use of the sqlmap tool to find potential SQLi faults, as well as actual database dumps.”
For the moment, none of the information stolen from the servers of the Colombian bank has been found on the dark web or clearweb sites monitored by Qualys.
The malware is delivered to victims’ computers via a malicious Excel file that drops and executes an INF file encoded in a highly obfuscated macro that comes with the attachment.
The final BitRAT payload is then downloaded from a GitHub repository using the WinHTTP library on the compromised device and executed using the WinExec function.
During the last stage of the attack, the RAT malware moves its loader to the Windows startup folder to gain persistence and restart automatically after system reboot.
Since August 2020 at least, BitRAT was sold as off-the-shelf malware on dark web marketplaces and cybercrime forums for as low as $20 for lifetime access.
After paying for a license, each “customer” uses theirs approach to infect victims with this malware, such as phishing, watering holes and trojanized software.
The highly versatile BitRAT can be used for a variety of malicious purposes, including video and audio recording, data theft, DDoS attacks, cryptocurrency mining, and providing additional payloads.
“Commercial out of the box. RATs have evolved their methodology to spread and infect their victims,” said Akshat Pradhan, Principal Threat Research Engineer at Qualys.
“They have also increased the use of legitimate infrastructure to host their payloads and defenders need to be held accountable for that.”