View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
January 3, 2023updated 04 Jan 2023 9:58am

BitRAT malware deployed using stolen financial data

More than 400,000 stolen pieces of valuable information are being used to con victims into downloading malware.

By Claudia Glover

Hackers are using stolen financial information as bait in a sophisticated phishing scam. More than 400,000 data points, including identification numbers, names, phone numbers and payment records are being used to convince people to click a malicious link. This downloads a powerful malware called BitRAT that spies on users, installs cryptomining software and can steal credentials.

A pesky RAT known as BitRAT is being used to launch phishing attacks. (Photo by Wirestock Creators/Shutterstock)

BitRAT is a remote access trojan (RAT), a type of malware designed to help an attacker remotely control an infected machine. Research from security vendor Qualys has uncovered the widespread use of stolen data from Colombia to help deploy the problematic programme.

Financial data used in BitRAT scam

The hacking gang behind the campaign is currently unknown, but they are believed to have breached the IT infrastructure of a cooperative bank in Colombia by exploiting SQL injection faults. This is a common technique, whereby hackers manipulate a database into generating an error message that can inform them of the database’s structure. 

The information does not appear to have been used or shared anywhere else, suggesting the data was stolen specifically for the scam, Qualys says.

The phishing scheme involves email messages using the pilfered financial data to persuade victims to click on a nefarious link to an Excel spreadsheet. This downloads BitRAT directly onto their machine.

Cybercriminals have been evolving their use of RATs the Qualys report says. “They have increased their usage of legitimate infrastructures to host their payloads. Defenders need to account for it,” it says. 

How cybercriminals are using BitRAT?

BitRAT can be bought on the dark web for $20, making it a useful and low-cost tool for criminals.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

If deployed successfully, BitRAT can be used in a variety of ways by criminals, including diverting the machine’s resources to cryptomining or to help launch DDoS attacks, and the recording of keystrokes, microphone and webcam activity. 

The malicious tool initially emerged for sale on the dark web in August 2020, and in March of last year, it was successfully spread throughout South Korea through users trying to activate pirated Windows operating systems for free.

In February, BitRAT was widely deployed alongside the promise of information on non-fungible tokens (NFTs). Much like this latest scam, victims were lulled into opening an Excel spreadsheet with the promise of exclusive information on digital tokens. The scam spread through email and through Discord servers.

“BitRAT’s popularity arises from its versatility,” says a report by security company Bitdefender. “Furthermore, each buyer’s modus operandi makes BitRAT even harder to stop, considering it can be employed in various operations such as trojanised software, phishing and watering hole attacks,” it says. A watering hole attack is where multiple machines are affected at once by attacking one key piece of hardware.

Read more: Sharkbot malware returns to Android’s Play store

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.