BitRAT malware campaign uses stolen bank data for phishing

Threat actors behind a recent malware campaign have been using the stolen information of bank customers in Colombia as lures in phishing emails designed to infect targets with the BitRAT remote access trojan, according to cloud security firm Qualys.

The company found that the infrastructure of an undisclosed Colombian cooperative bank had been hijacked by attackers while investigating BitRAT lures in active phishing attacks.

A total of 418,777 records containing sensitive customer data, including names, phone numbers, email addresses, addresses, Colombian national IDs, payment records, and salary information, were stolen from the breached servers.

While investigating the campaign, Qualys also discovered evidence that the attackers had accessed customers' data, including logs showing that they looked for SQL injection bugs using the sqlmap tool.

"Moreover, the lures themselves contain sensitive data from the bank to make them appear legitimate. This means that the attacker has gotten access to customers’ data," Qualys said.

"While digging deeper into the infrastructure we identified logs that point to the usage of the tool sqlmap to find potential SQLi faults, along with actual database dumps."

At the moment, none of the information stolen from the Colombian bank's servers has been found on dark web or clearweb sites monitored by Qualys.

The malware is delivered to victims' computers via a malicious Excel file that drops and executes an INF file encoded within a highly obfuscated macro bundled with the attachment.

The final BitRAT payload is then downloaded from a GitHub repository using the WinHTTP library on the compromised device and executed with the help of the WinExec function.

During the last stage of the attack, the RAT malware moves its loader to the Windows startup folder to gain persistence and automatically restart after system reboots.

Since at least August 2020, BitRAT has been sold as off-the-shelf malware on dark web markets and cybercrime forums for as little as $20 for lifetime access.

After paying for a license, each "customer" uses their own approach to infect victims with this malware, such as phishing, watering holes, and trojanized software.

The highly versatile BitRAT can be used for a variety of malicious purposes, including recording video and audio, data theft, DDoS attacks, cryptocurrency mining, and delivering additional payloads.

"Commercial off the shelf. RATs have been evolving their methodology to spread and infect their victims," said Qualys threat research senior engineer Akshat Pradhan.

"They have also increased the usage of legitimate infrastructures to host their payloads and defenders need to account for it."