Cardinal RAT

The Cardinal RAT is a malware family that was first spotted by cybersecurity researchers in 2017 – it was used in a series of attacks against companies in different industrial sectors. However, after nearly two years of inactivity, the Cardinal RAT has risen once again, and this time it has been used to target Israel-based companies that deal with financial technology services linked to cryptocurrency and forex markets. Despite disappearing for over two years, the latest samples of the Cardinal RAT do not include any major improvements in terms of functionality – however, its authors have taken the required actions to obfuscate its code and make some other changes that serve the purpose of confusing antivirus products, and evading malware-debugging environments.

The campaign from 2017 was very limited in terms of reach – researchers were able to identify around 27 cases where the Cardinal RAT was used. There is still not enough information to determine the scale of the current attack, but so far it seems to be limited to just two Israel-based companies. The malware would allow remote attackers to collect login credentials, grab cookies from Web browsers, log keystrokes, and take screenshots of the compromised system. All data is then transferred to a remote server controlled by the attacker.

It appears that the propagation method used to spread the Cardinal RAT is bogus email attachments that may be disguised as legitimate documents. However, the recipient would receive a macro-laced document that, upon execution, uses the macro commands to unpack the Cardinal RAT and initialize the attack.

Protecting your systems from the Cardinal RAT requires more than just using a reputable antivirus product – it also is recommended to instruct all employees to avoid opening suspicious email attachments, and be extra wary of ‘.LNK’ files that arrive via email.