Cybercriminals are increasingly opting for readily-available malware packages by third-party vendors to conduct cyberattacks. They prefer relying on commercial off-the-shelf malware that could be used for mass exploitation and targeted attacks. A commercial off-the-shelf malware called BitRAT has evolved its methodology to spread and infect victims.
From spray and pray to sniping
Qualys researchers found that BitRAT attacks have swiftly shifted from so-called spray and pray to more targeted attacks.
An unknown adversary had hijacked the network of a Colombian cooperative bank to steal customer data.
The adversary crafted convincing decoy messages using the stolen information to lure victims into opening suspicious Excel attachments.
Additionally, these Excel maldocs embedded a highly obfuscated macro within them, which is used to download a second-stage DLL payload.
The DLL payload uses various anti-debugging techniques to retrieve embedded payloads from GitHub and execute BitRAT on the compromised host.
Scenario in the hindsight
The attackers created a GitHub repository in mid-November and a throwaway account to host multiple payloads.
The repository contains the BitRAT sample embedded into BitRAT loader samples and hijacked resources from two different companies to appear legitimate.
The loaders decode the binary and reflectively load them. BitRAT sample executes and relocates the loader to the user's startup for persistence.
More info
Experts identified logs that point to the usage of the sqlmap tool to find potential SQL injection faults and actual database dumps.
The database dump comprises 418,777 records with customers’ details such as Cedula numbers (Colombian national ID), email addresses, phone numbers, customer names, payment records, salary, and address.
Conclusion
With evolved TTPs and a wide range of functionalities to steal data, harvest credentials, mine cryptocurrency, and download additional binaries, BitRAT comes in handy as a tool for cybercriminals. Therefore, experts suggest organizations and individuals stay protected by using anti-malware software, and firewalls, and providing cybersecurity training to their employees.