Data from an older breach lends credibility to this newer sophisticated attack that delivers a highly obfuscated payload. Credit: Andreus / Getty Images In a case that highlights how attackers can leverage information from data breaches to enhance their attacks, a group of attackers is using customer information stolen from a Colombian bank in phishing attacks with malicious documents, researchers report. The group, which might have been responsible for the data breach in the first place, is distributing an off-the-shelf Trojan program called BitRAT that has been sold on the underground market since February 2021.Stolen data used to add credibility to future attacksResearchers from security firm Qualys spotted the phishing lures that involved Excel documents with malicious documents but appeared to contain information about real people. Looking more into the information, it appeared the data was taken from a Colombian cooperative bank. After looking at the bank’s public web infrastructure, researchers found logs that suggested the sqlmap tool was used to perform an SQL injection attack. They also found database dump files that attackers created.“Overall, 418,777 rows of sensitive data have been leaked of customers with details such as Cedula numbers (Columbian national ID), email addresses, phone numbers, customer names, payment records, salary, address, etc.,” the researchers said in their report. “As of today, we have not found this information shared on any of our darkweb/clearweb monitored lists.” Sometimes attacker groups buy data on the dark web, but since this data didn’t appear in any public offerings it means it was either a private sale or the attackers behind the phishing attacks obtained it themselves. This is a clear example of a threat that researchers have long warned about following any data breach: Even if the stolen data doesn’t appear to have immediate value or can be easily exploited for monetary gain or for account access, attackers can still use such data to add credibility to other attacks. Users are much more likely to fall for an email that includes personal information that only their bank or a trusted service provider will have.Multi-stage droppersThe dropper mechanism in the Excel files is fairly sophisticated. First, a highly obfuscated macro script hidden inside the file is executed and generates an .inf file from hundreds of arrays that are reconstructued using arithmetic operations. The final .inf file is then executed using advpack.dll, a library that assists with hardware and software installs by reading and verifying .INF files. The .INF file contains an encoded second-stage loader in the form of an DLL file that’s decoded using the Windows certutil.exe utility and executed using rundll32. This loader then uses the WinHTTP library to download the BitRAT payload from a GitHub repository. The GitHub account was created in November and hosted multiple such payloads.These payloads were themselves obfuscated via SmartAssembly and reflectively load the BitRAT binary, which is itself obfuscated with DeepSea. Following the deployment process all the temporary files created by the various stagers are deleted and the payload and BitRAT binary are copied to the startup folder to achieve persistence.This process that involves multiple layers of obfuscation, encoding, anti-debugging techniques, the use of various system utilities for execution, and reflective DLL loading is indicative of attackers being versed in malware creation and delivery. BitRAT itself is a powerful and feature-rich Trojan that can perform data exfiltration, keylogging, DDoS attacks, payload execution, webcam and microphone recording, Monero mining, credential theft, and more. However, it’s available for as little as $20 on underground forums. Attackers’ choice of an off-the-shelf trojan instead of custom one could be the result of both convenience and the intention of making attribution difficult. Since this malware program is so cheap, it’s likely used by a lot of different groups. Related content news CISA inks 68 tech vendors to secure-by-design pledge — but will it matter? CISA’s pledge drew some big names, but the impact on software security could be limited. Meanwhile the org has extended its comment period on the CIRCIA cyberattack reporting law. By Jon Gold May 10, 2024 4 mins Regulation Technology Industry Security Practices news Google Chrome gets a patch for actively exploited zero-day vulnerability Details of the use-after-free memory vulnerability were not publicly released, but Google says it’s aware an exploit for the bug exists. By Lucian Constantin May 10, 2024 3 mins Threat and Vulnerability Management Zero-day vulnerability Vulnerabilities news Dell data breach exposes data of 49 million customers The company says the breach compromised non-critical customer data and involved no sensitive personal or financial information. By Shweta Sharma May 10, 2024 3 mins Data Breach Hacking feature Social engineering: Definition, examples, and techniques Social engineering is the art of exploiting human psychology, rather than technical hacking techniques, to gain access to buildings, systems, or data. Train yourself to spot the signs. By Josh Fruhlinger May 10, 2024 15 mins Phishing Social Engineering PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe