Hackers are using stolen financial information as bait in a sophisticated phishing scam. More than 400,000 data points, including identification numbers, names, phone numbers and payment records are being used to convince people to click a malicious link. This downloads a powerful malware called BitRAT that spies on users, installs cryptomining software and can steal credentials.
BitRAT is a remote access trojan (RAT), a type of malware designed to help an attacker remotely control an infected machine. Research from security vendor Qualys has uncovered the widespread use of stolen data from Colombia to help deploy the problematic programme.
Financial data used in BitRAT scam
The hacking gang behind the campaign is currently unknown, but they are believed to have breached the IT infrastructure of a cooperative bank in Colombia by exploiting SQL injection faults. This is a common technique, whereby hackers manipulate a database into generating an error message that can inform them of the database’s structure.
The information does not appear to have been used or shared anywhere else, suggesting the data was stolen specifically for the scam, Qualys says.
The phishing scheme involves email messages using the pilfered financial data to persuade victims to click on a nefarious link to an Excel spreadsheet. This downloads BitRAT directly onto their machine.
Cybercriminals have been evolving their use of RATs the Qualys report says. “They have increased their usage of legitimate infrastructures to host their payloads. Defenders need to account for it,” it says.
How cybercriminals are using BitRAT?
BitRAT can be bought on the dark web for $20, making it a useful and low-cost tool for criminals.
If deployed successfully, BitRAT can be used in a variety of ways by criminals, including diverting the machine’s resources to cryptomining or to help launch DDoS attacks, and the recording of keystrokes, microphone and webcam activity.
The malicious tool initially emerged for sale on the dark web in August 2020, and in March of last year, it was successfully spread throughout South Korea through users trying to activate pirated Windows operating systems for free.
In February, BitRAT was widely deployed alongside the promise of information on non-fungible tokens (NFTs). Much like this latest scam, victims were lulled into opening an Excel spreadsheet with the promise of exclusive information on digital tokens. The scam spread through email and through Discord servers.
“BitRAT’s popularity arises from its versatility,” says a report by security company Bitdefender. “Furthermore, each buyer’s modus operandi makes BitRAT even harder to stop, considering it can be employed in various operations such as trojanised software, phishing and watering hole attacks,” it says. A watering hole attack is where multiple machines are affected at once by attacking one key piece of hardware.