The BitRAT malware was used to target the Columbian Cooperative Bank, where the threat actors made away with records of over 400,000 individuals. The threat actors are using the information from these records for a massive spear phishing campaign. This text sheds light on the event, shares what BitRAT is, the BitRAT Columbian Cooperative Bank breach, an analysis of the latest BitRAT sample, why BitRAT is a grave threat, and shares how organizations can protect against BitRAT malware.
It is common for malware campaigns to use phishing techniques to trick people into installing malware on their devices. But using stolen information for spear-phishing campaigns is a relatively novel approach implemented by threat actors behind the BitRAT malware campaign.
The BitRAT malware has been used in attacks against government and private sector organizations, especially the financial sector. Threat actors are now employing the stolen banking credentials of individuals as phishing lures. Let us see what is happening in detail.
What is BitRAT?
BitRAT is a remote access trojan (RAT) that gives attackers complete control over the infected device. It is typically spread through phishing emails containing links to download the malware. Once the link is clicked, and the malware is downloaded, it can be used to steal sensitive information, monitor the victim’s activity, and take control of the victim’s device.
BitRAT has been around since Feb 2021, when it made its first appearance in the underground criminal web markets, and is notorious for its functionalities that come at a low price of $20 for a lifetime subscription, including:
- Data exfiltration
- Execution of payloads with bypasses.
- Webcam and microphone recording
- Credential theft
- Monero mining
- Running tasks for processes, files, software, and more.
The BitRAT Columbian Cooperative Bank Breach
While investigating BitRAT lures in active phishing campaigns, security researchers at Qualys identified an undisclosed threat actor in the Columbian cooperative bank’s infrastructure. Qualys found records and logs pointing to the use of sqlmap to find potential SQLi faults and data dumps with over 400,000 records.
The 418,777 records contained customer data, including names, contact numbers, email addresses, residential addresses, payment ledgers, salary information, and Colombian national IDs. All the data was reused in Excel maldocs, and the threat actors are using these Excel sheets as BitRAT lures.
Furthermore, all Excel maldocs are authored by “Administrator” accounts. Qualys has not found any evidence of the stolen records being published on any of the dark web or clear web lists they monitor but are still following all breach disclosure guidelines and will keep updating the victims.
Columbian Cooperative Bank Breach: Analysis of the Latest BitRAT Malware Sample
Qualys analyzed the Excel sheets and found highly obfuscated macros to drop payloads and execute them.
- De-Obfuscation: The payload is a .inf file that is distributed in the form of multiple arrays in the macro and requires a de-obfuscation routine that performs arithmetic operations to rebuild the payload.
- Execution: Once the malware payload is rebuilt, the macro writes it to temp and executes it using the advpack.dll file. The .inf file also contains a hex-encoded dll (Dynamic Link Library) payload, which is the second stage and is decoded via certutil and written to temp. And the temp files are deleted after use. The dll uses advanced anti-debugging techniques to download the BitRAT payload from GitHub using the WinHTTP library and embeds the payload to the temp directory. Finally, the dll leverages WinExec to start the temp payload and exit.
- GitHub Repository: The GitHub repository where the BitRAT payload appears to be created in mid-November, and the account behind the repository is an anonymous one created for hosting multiple payloads. These payloads are loader samples obfuscated via DeepSea with the BitRAT sample embedded into them, along with hijacked resources from enterprises to make them appear genuine.
Why is BitRAT such a Significant Threat?
The BitRAT malware is a C++ written malware with many advanced capabilities, such as:
1. Controller: BitRAT has a licensing protocol to determine if the individual running it is paying or not. This .NET controller is obfuscated with Eazfuscator that sends an HTTP request to the server that responds with a base64 encoded string with the licensing information. If there is no valid license, two requests are made for the purchase order, and the payloads are built on the vendor’s server.
2. Payload: The payload of the BitRAT malware is written in Visual C++ with multiple libraries such as Boost and libCURL. The files store string pointers in an array, and APIs (Application Programming Interfaces) are loaded directly. The malware also utilizes anti-debugging by leveraging NtSetInformationThread with ThreadHideFromDebugger. The payload is an advanced one with a command dispatcher, HVNC (Hidden Virtual Network Computing) and hidden browser, and a UAC (User Account Control) bypass.
With such capabilities and low prices, the BitRAT malware is a significant threat to organizations and businesses worldwide, as low-level cybercriminals can use it to carry out malicious attacks on a large scale without much expertise. The malware also includes:
- Persistence: BitRAT uses the BreakOnTermination flag for persistence within the victim’s system and also attempts to elevate privileges.
- Webcam and Voice Recording: BitRAT also has the ability to initiate webcam and voice recordings for spying on the victim and uses open-source libraries for the same. BitRAT uses OpenCV for capturing the webcam and an altered A. Riazi’s library for voice recording.
How to Protect Systems Against BitRAT Malware?
BitRAT has been infamous for targeting cryptocurrency users by infecting their computers and stealing their private keys and login credentials. Now that it is attacking various enterprises, here are some steps you can take to protect yourself against BitRAT and other types of malware:
- Keep your operating system and antivirus software up to date: Ensure you are running the latest version of your system and antivirus software, as these often include security updates that can protect against new threats.
- Be cautious when downloading files: Avoid downloading files from unknown sources, and be careful when opening email attachments, even if they seem to be from a trusted source.
- Use a firewall: A firewall can help protect your computer by blocking incoming traffic from potentially harmful sources.
- Avoid suspicious websites: Be careful when visiting unfamiliar websites, as they may lead you to download malware-embedded software.
Following these steps can help protect yourself against BitRAT and other types of malware.
However, it’s important to note that no security measures are foolproof, so it’s essential to always be vigilant and aware of the risks.
The BitRAT malware has been available on dark web markets for a long time, allowing cybercriminals to use the malware using their own approach and causing all kinds of harm. This chained attack of spreading the malware via phishing and using the stolen information for further phishing attacks might be new. Still, such ideas and new tactics are expected from cybercriminals in 2023.
One thing organizations need to know from the BitRAT malware, and the attack on Columbian Cooperative Bank is that phishing remains the top choice of cybercriminals for malicious purposes, which is why organizations and businesses need phishing protection.