BitRAT Traders Now Using Stolen Banking Data as a Decoy

BitRAT Traders Now Using Stolen Banking Data as a Decoy

BitRAT Traders Now Using Stolen Banking Data as a Decoy

Qualys researchers have discovered a new technique used by users of the well-known BitRAT Trojan.

The hack uses real data from bank customers as a decoy. Unidentified cybercriminals appear to have co-opted the infrastructure of a Colombian banking cooperative, gaining access to a wide range of customer data, including Colombian national IDs, addresses and transaction records.

Qualys has not found any leaked information in dark web repositories and has disclosed the breach to its more than 400,000 victims.

BitRAT is a popular remote access Trojan and can be purchased for only 20 US dollars. since February 2021 from a variety of criminal forums and websites.

The bank details are stored in a malicious Excel document which, when downloaded, delivers a highly segmented .inf file as a payload. A macro in the Excel file then rebuilds it and writes it to the %temp% folder on a machine.

This .inf file in turn executes a second-stage .dll payload, which executes and then deletes the files in %temp%.

The .dll then downloads the final BitRAT payload from a GitHub repository. which in turn was created by a disposable account in November of last year to the %temp% directory.

The repository contains four different upload files, each featuring real assets from two companies hijacked for authenticity along with a BitRAT sample.

WinExec then executes the new payload, after which the sample moves the loader to the startup folder, so that the Trojan runs every time a user boots their machine.

The BitRAT Trojan is popular for its versatility. It can run tasks, mine cryptocurrency, steal credentials, exfiltrate data, perform DDoS attacks, and record from webcams and microphones.

“Commercial RATs have been evolving their methodology to spread and infect their victims,” ​​said Akshat Pradhan, senior threat research engineer at Qualys. in a blog post. “They have also increased their use of legitimate infrastructure to host their payloads, and defenders must be held accountable.”

Leave a Reply

Your email address will not be published. Required fields are marked *