Unit 42 Identifies Malware Focusing On Israeli Fintech Firms

As per a blog post published by Unit 42, the threat research wing of cyber security firm Palo Alto Networks, a specific malware is seeking out and attacking fintech companies in Israel that commonly work with cryptocurrency trading and forex. The said blog post was published today, March 19, 2019.

According to what the blog post states, Unit 42 first came across an old version of this particular malware back in 2017. It is called Cardinal RAT and has been caught attacking two fintech companies from Israel that develop software solutions meant for crypto trading and forex. Identified since April of 2017, Cardinal RAT is a malware of the RAT (Remote Access Trojan) category which is designed in such as way so as to enable to attacker to hack into a given system from far away.

The blog post elaborates:

“We witnessed attacks targeting the financial technology (FinTech) sector, primarily focused on organizations based in Israel. While researching these attacks, we discovered a possible relationship between Cardinal RAT and another malware family named EVILNUM. EVILNUM is a JavaScript-based malware family that is used in attacks against similar organizations.”

The fresh updates that have been made to this particular malware ensure that it cannot be detected easily. Moreover, it also makes use of certain obfuscation mechanisms to prevent it from being analysed. However, even though detectability seems to have been reduced considerably, the payload itself remained more or less the same as what it had been in case of the original version of the malware. It works along the same lines and yields fairly similar methods.

This malware reportedly makes use of a BMP trick, collects information from the victim computer, executes a settings update, serves as a reverse proxy, goes through a command execution and then uninstalls itself. It seems that this malware is employed particularly in connection to fintech firms, especially those based in Israel.

Unit 42 has zeroed in on the use of this malware in attacking fintech firms based on the following indicators:

“Our telemetry shows these families are only used against companies in this sector. The lure documents used consistently related to lists of names/numbers of individuals involved in trading forex/crypto currency, a niche theme to use if targeting individuals outside of this sector. “