A new advertised malware, BitRat, offered at 20 dollars on Darknet forums, has most recently used hijacked information from the IT infrastructure of a Columbian bank. The threat actors managed to gain access to customer data including: Cedula numbers (Columbian national ID), email addresses, phone numbers, customer names, payment records, salary, and address. The threat group then used the stolen data to craft emails that used the breached data as a lure to trick victims into downloading the malware. The malware has the capabilities for:
- Data exfiltration
- Execution of payloads with bypasses.
- DDoS
- Keylogging
- Webcam and microphone recording
- Credential theft
- Monero mining
- Running tasks for process, file, software, etc.
Analyst Notes
Threat actors with access to stolen, sensitive data have many options to utilize this data in a malicious manner. In this case, the threat group decided to use confidential data as lures in phishing emails to carry out a second attack against victims. Whenever a company is alerted to a breach and makes it public, all customers who believe they may have had data compromised should remain vigilant to the use of this data in social engineering attacks, in order to prevent further harm. Such attacks may take the form of lures using legitimate account data, and can also take the form of compromised legitimate email reply chains between trusted parties. It is highly recommended that users contact trusted parties directly to verify or confirm the legitimacy of such email. Organizations can also implement a defense in depth strategy that focuses on post compromise activities, such as data exfiltration. Binary Defense’s offerings are an excellent solution to such needs.
BitRAT campaign relies on stolen sensitive bank data as a lure