"BitRAT Campaign Relies on Stolen Sensitive Bank Data as a Lure"

Researchers at Qualys discovered a new malware campaign distributing the BitRAT Remote Access Trojan (RAT) via phishing emails involving stolen bank information. BitRAT is a relatively new threat that has been advertised on underground marketplaces and forums for $20 since February 2021. The RAT facilitates data exfiltration, payload execution with bypasses, Distributed Denial-of-Service (DDoS) attacks, keylogging, webcam recording, credential theft, and more. While analyzing various BitRAT lures, the researchers found that a threat actor had likely gotten access to client data by hijacking the Information Technology (IT) infrastructure of a cooperative bank in Columbia. The attackers then used bait, including sensitive financial data, to convince victims to install malware. The researchers determined that the threat actors had access to a database holding 4,18,777 rows of sensitive consumer data, including Columbian national ID numbers, email addresses, phone numbers, customer names, payment records, salaries, home addresses, and other information. The threat actors exported the data through weaponized Excel maldocs and employed them in phishing emails designed to persuade recipients to open the file. After the file is opened and the macro is enabled, a second-stage Dynamic Link Library (DLL) payload is downloaded and run. The second-stage DLL uses different anti-debugging techniques, retrieves the RAT, and executes BitRAT on the host. This article continues to discuss the new BitRAT malware campaign. 

Security Affairs reports "BitRAT Campaign Relies on Stolen Sensitive Bank Data as a Lure"