Attackers use stolen banking data as phishing lure to deploy BitRAT

In a case that highlights how attackers can leverage information from data breaches to enhance their attacks, a group of attackers is using customer information stolen from a Colombian bank in phishing attacks with malicious documents, researchers report. The group, which might have been responsible for the data breach in the first place, is distributing an off-the-shelf Trojan program called ​​BitRAT that has been sold on the underground market since February 2021.

Stolen data used to add credibility to future attacks

Researchers from security firm Qualys spotted the phishing lures that involved Excel documents with malicious documents but appeared to contain information about real people. Looking more into the information, it appeared the data was taken from a Colombian cooperative bank. After looking at the bank’s public web infrastructure, researchers found logs that suggested the sqlmap tool was used to perform an SQL injection attack. They also found database dump files that attackers created.

“Overall, 418,777 rows of sensitive data have been leaked of customers with details such as Cedula numbers (Columbian national ID), email addresses, phone numbers, customer names, payment records, salary, address, etc.,” the researchers said in their report. “As of today, we have not found this information shared on any of our darkweb/clearweb monitored lists.”

Sometimes attacker groups buy data on the dark web, but since this data didn’t appear in any public offerings it means it was either a private sale or the attackers behind the phishing attacks obtained it themselves.

This is a clear example of a threat that researchers have long warned about following any data breach: Even if the stolen data doesn’t appear to have immediate value or can be easily exploited for monetary gain or for account access, attackers can still use such data to add credibility to other attacks. Users are much more likely to fall for an email that includes personal information that only their bank or a trusted service provider will have.

Multi-stage droppers

The dropper mechanism in the Excel files is fairly sophisticated. First, a highly obfuscated macro script hidden inside the file is executed and generates an .inf file from hundreds of arrays that are reconstructued using arithmetic operations. The final .inf file is then executed using advpack.dll, a library that assists with hardware and software installs by reading and verifying .INF files.

The .INF file contains an encoded second-stage loader in the form of an DLL file that’s decoded using the Windows certutil.exe utility and executed using rundll32. This loader then uses the WinHTTP library to download the BitRAT payload from a GitHub repository. The GitHub account was created in November and hosted multiple such payloads.

These payloads were themselves obfuscated via SmartAssembly and reflectively load the BitRAT binary, which is itself obfuscated with DeepSea. Following the deployment process all the temporary files created by the various stagers are deleted and the payload and BitRAT binary are copied to the startup folder to achieve persistence.

This process that involves multiple layers of obfuscation, encoding, anti-debugging techniques, the use of various system utilities for execution, and reflective DLL loading is indicative of attackers being versed in malware creation and delivery.

BitRAT itself is a powerful and feature-rich Trojan that can perform data exfiltration, keylogging, DDoS attacks, payload execution, webcam and microphone recording, Monero mining, credential theft, and more. However, it’s available for as little as $20 on underground forums. Attackers’ choice of an off-the-shelf trojan instead of custom one could be the result of both convenience and the intention of making attribution difficult. Since this malware program is so cheap, it’s likely used by a lot of different groups.