Cardinal RAT went unnoticed for two years

Malware under a magnifying glass
(Image credit: Bigstock)

Security researchers have discovered a remote access Trojan that used malicious Excel macros to download and run the malware.

Called Cardinal RAT, the malware was found by researchers at Palo Alto Networks. The Trojan has been lying low with 27 samples collected over a two-year period.

According to a blog post, the malware is delivered via a downloader, dubbed Carp, that uses malicious macros in Microsoft Excel documents to compile embedded C# (C Sharp) Programming Language source code into an executable that in turn is run to deploy the Cardinal RAT malware family.

The Excel files sport a variety of lures to entice victims into running the malware. The downloader is used to evade detection as it compiles and executes C# source code using Microsoft Windows built-in csc.exe utility.

This download pulls the malware from secure.dropinbox[.]pw using HTTP on port 443 (not HTTPS), and decrypts it using AES-128 and then executes it. While the downloader is not required to download this particular malware, researchers said that it has exclusively done so.

According to Josh Grunzweig, malware researcher with Unit 42, Palo Alto Networks, the majority of these lures are financial-related, describing various fake customer lists for various organisations. "Based on the similarities witnessed in some of these lures, it appears that the attackers use some sort of template, where they simply swap specific cells with the pertinent images or information," he said.

He added the name Cardinal RAT comes from internal names used by the author within the observed Microsoft .NET Framework executables.

"To date, 27 unique samples of Cardinal RAT have been observed, dating back to December 2015. It is likely that the low volume of samples seen in the wild is partly responsible for the fact that this malware family has remained under the radar for so long," he said.

When the Trojan is initially executed, the malware will check its current working directory. Should it not match the expected path, Cardinal will enter its installation routine. Cardinal RAT will copy itself to a randomly named executable in the specified directory. It will then compile and execute embedded source code that contains watchdog functionality.

"This watchdog process also ensures that the Cardinal RAT process is always running, as well as ensures that the executable is located in the correct path. Should either of these conditions not be met, the watchdog process will spawn a new instance of Cardinal RAT, or write Cardinal RAT to the correct location, respectively," said Grunzweig.

The malware then send to a command and control server such information as username, hostname, Windows version, and processor architecture. It can also find passwords, log key strokes and capture screen shots.

Rene Millman

Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.