A new malware campaign has been observed using sensitive bank information as bait in phishing emails to deliver the BitRAT remote access trojan.
It is believed that an unknown adversary hacked into the IT infrastructure of a Colombian cooperative bank and used the information to craft convincing decoy messages designed to trick victims into opening suspicious Excel attachments.
Qualys, a cybersecurity firm, discovered evidence of a database dump containing 418,777 records that were allegedly obtained by exploiting SQL injection vulnerabilities.
Cédula numbers (a national identity document issued to Colombian citizens), email addresses, phone numbers, customer names, payment records, salary information, and addresses are among the leaked details.
There are no indications that the information has previously been shared on any forums on the darknet or clear web, suggesting that the threat actors themselves gained access to customer data to conduct phishing attacks.
The Excel file containing the exfiltrated bank data also contains an embedded macro that downloads a second-stage DLL payload that is configured to retrieve and execute BitRAT on the compromised host.
“It utilizes the WinHTTP library to download BitRAT embedded payloads from GitHub to the %temp% directory,” researcher Akshay Pradhan from Qualys explained.
The repository, which was established in mid-November 2022, is used to host obfuscated BitRAT loader samples that are ultimately decoded and launched to complete infection chains.
BitRAT, an off-the-shelf malware that can be purchased on underground forums for a mere $20, is equipped with a variety of features to steal data, harvest credentials, mine cryptocurrency, and download additional binaries.
“Commercially available RATs have evolved their methods for spreading and infecting their victims,” said Pradhan. “They have also increased their use of legitimate infrastructures to host their payloads, which must be accounted for by defenders.”