Threat actors are using data stolen from a Colombian bank as a lure in what appears to be a malicious campaign aimed at spreading the BitRAT malware, researchers have found. The activity demonstrates the evolution of how attackers are using commercial, off-the-shelf malware in advanced threat scenarios, they said.
Researchers at IT security and compliance firm Qualys were investigating "multiple lures" for BitRAT when they identified that the infrastructure of a Colombian cooperative bank had been hijacked. Attackers were using sensitive data gleaned from that compromise to try to capture victims, they reported in a blog post published Jan. 3.
"While digging deeper into the infrastructure, we identified logs that point to the usage of the tool sqlmap to find potential SQLi faults, along with actual database dumps," Akshat Pradhan, senior engineer of threat research at Qualys, wrote in the post.
Overall, threat actors leaked 4,18,777 rows of sensitive data from the bank's customers, including details such as Colombian national ID numbers — called "Cedula" numbers — as well as email addresses, phone numbers, customer names, payment records, salary, home addresses, and other data, researchers said.
So far, researchers have not seen the data dumped on any hacker forums or Dark Web sites, and are following standard breach-disclosure guidelines as they further investigate, they said.
A Commercial RAT With a Long Tail
Threat actors began marketing BitRAT on underground cybercriminal markets starting in February 2021. The RAT is notorious for its social media presence and its relatively low price of $20, which makes it popular among cybercriminals, researchers said.
Key capabilities of BitRAT include: data exfiltration, execution of payloads with bypasses, distributed denial of service (DDoS), keylogging, webcam and microphone recording, credential theft, Monero mining, and running tasks for process, file, and software, among others.
BitRAT is an example of how the use of commercial RATs has evolved not only with new capabilities for propagation, but also by harnessing the use of legitimate infrastructures to host malicious payloads, Pradhan said. This is something that enterprises now need to account for in their respective security defense postures, he noted.
To that end, researchers advised that all organizations employ endpoint detection and response (EDR) solutions to detect malware such as BitRAT as it inserts itself into a network endpoint, they said. Functions like asset management, vulnerability detection, policy compliance, patch management, and file-integrity monitoring capabilities across a system are key for combating malware like this, they added.
Enterprises should also implement external attack surface management solutions, which allow for continuous monitoring and reduction of the entire enterprise attack surface — including internal and Internet-facing assets and discover previously unidentified exposures — to counter evolving threats, researchers said.
Anatomy of the BitRAT
Researchers found and analyzed a cache of Excel sheets — all authored by "Administrator" — being used as lures for a BitRAT campaign, with data from the tables being reused in Excel maldocs as well being included in the database dump, they said.
"The Excel contains a highly obfuscated macro that will drop an .inf payload and execute it," Pradhan wrote in the post. "The .inf payload is segmented into hundreds of arrays in the macro."
A de-obfuscation routine performs arithmetic operations on the arrays to rebuild the payload once it's ready for execution, with the macro then writing the payload to "temp" and executing it via a file called advpack.dll, he said.
The macro itself also includes a hex-encoded, second-stage .dll payload that is decoded via certutil, written to "%temp%\," and executed by the command "rundll32," researchers found. After this process is executed, the temp files are then deleted, they said.
It's this .dll file that uses various anti-debugging techniques to download and execute the final BitRAT payload. The file also uses the WinHTTP library to download BitRAT-embedded payloads from a GitHub repository created in mid-November by a "throwaway" account to the "%temp%" directory, Pradhan wrote.
In the final stage of BitRAT execution, the .dll uses WinExec to start the "%temp%" payload and exits. To maintain persistence on a user's machine, the BitRAT sample starts and then relocates the loader to the user's startup, the researchers said.