BitRAT (malware)

2023: Hackers steal data from hundreds of thousands of customers of one of Colombia's biggest banks

On January 3, 2023, IT security company Qualys revealed details of an extremely confusing cyber campaign in which attackers spread BitRAT malware.

Cybercriminals send phishing emails with a malicious attachment in the form of an Excel file. Such e-mails are carefully personalized. As it was possible to establish, when forming letters, hackers use data stolen from one of the largest banks in Colombia. During the hack, 418,777 lines of confidential customer information were stolen with details such as Cedula numbers (Colombian national identity card), email addresses, phone numbers, names, payment records, wages, etc. Users are much more likely to fall for a phishing trick by receiving a personalized email with information that is only available to their bank or trusted organization.

BitRAT (malware)

The dropper mechanism in the attached Excel file is quite complex. A highly confusing macro hidden inside the document is executed: it generates an.inf module from hundreds of arrays that are restored using arithmetic operations. The final.inf file is then executed through the advpack.dll. The.inf file contains the second stage encoded loader as a DLL. Ultimately, the BitRAT malware is downloaded to the victim's computer from the GitHub repository.

With BitRAT, attackers can perform a variety of operations. The Troyan is capable of data theft, keylogging, recording from a webcam and microphone, and launching other malicious programs. In addition, BitRAT allows you to conduct DDoS attacks and secretly perform mining of the Monero cryptocurrency. On underground forums, BitRAT is offered for about $20.^[1]

Notes