Malware alert! Crypto trading firms are under attack

A Trojan-style malware is attacking Israeli fintech and cryptocurrency trading firms in an attempt to get revenge. This Cardinal RAT malware was also spotted several years ago in 2017 and went largely undetected for almost two years. It appears that the virus has returned and is going after the cryptocurrency trading firms again.

What the virus did before, was to enter into the computer using a downloader called Carp and uses Microsoft Excel’s documents to compile the source code into a program which then deploys the malware into the system.

However, the updated version of the malware has resurfaced which is evading “detection and hinder analysis”, according to the researchers from Palo Alto Networks’ Unit 42, an American multinational cybersecurity company.

See Also: Impostors pose as CIA agents to steal Bitcoins in new blackmail scheme

The latest version of the Cardinal RAT virus applies a number of techniques to go through the analyzing systems undetected and making it more difficult to find it. One of the techniques include steganography, it refers to a class of programming approach that are used to obscure messages, files, and other important data.

The virus is loaded into the victim’s computer through the data embedded into a Bitmap (BMP) image file during installation. It looks harmless from the surface but when the image is opened, the embedded code decodes itself and initiate the attack.

The malware steals your passwords, usernames, and other sensitive data which then it sends back to the malware operators giving them the power to steal your cryptocurrency.

According to the report from Unit 42, the malware operators perform the following actions;

• Collect victim information
• Update settings
• Act as a reverse proxy
• Execute command
• Uninstall itself
• Recover passwords
• Download and Execute new files
• Keylogging
• Capture screenshots
• Update Cardinal RAT
• Clean cookies from browsers

Two Cardinal RAT attacks have been observed since 2017, and according to Unit 42 both times the victims were fintech companies based in Israel. A total of 13 reports have been received until now, which include nine from Israel, two from the US and one each from Austria and Japan.