BitRAT Malware Uses Bank-Themed Phishing Emails

Qualys reported in June of 2022 that Discord’s content delivery network was found to be sharing a commercial off-the-shelf info stealer by hosting a fake cracked version of the software. 

During this time, researchers have been tracking similar threats in order to gain a better understanding of their capabilities as they evolve.

On the underground cybercriminal web markets and forums, BitRAT is marketed since February 2021 as a relatively recent and notorious remote access trojan (RAT).

BitRAT Functionalities

Here below we have mentioned all the key functionalities of BitRAT trojan:-

  • Data exfiltration 
  • Execution of payloads with bypasses.
  • DDoS 
  • Keylogging 
  • Webcam and microphone recording 
  • Credential theft
  • Monero mining 
  • Running tasks for process, file, software, etc.

A combination of these qualities and its relatively low cost of just $20 make BitRAT a very dangerous and widespread threat to systems. 

Technical Analysis of the Malware

During a recent investigation of multiple BitRAT lures, experts were able to determine that an adversary had hijacked the infrastructure of a Columbian cooperative bank.

Further, in order to make the lures appear legitimate, they contain sensitive information obtained from the bank itself. There is a possibility that the attacker would be able to access customer data in this way.

Further investigation into the infrastructure revealed log files that appear to show the use of the SQLMap tool for the purpose of finding potential errors of SQLi, as well as actual database dump files that point to the use of this tool.

The total number of records that have been leaked is 4,18,777, and the sensitive data includes information like the following we have mentioned below:-

  • Cedula numbers (Columbian national ID)
  • Email addresses
  • Phone numbers
  • Customer names
  • Payment records
  • Salary
  • Address

Clearly obfuscated macros are present in the excel file, which are designed to drop an inf payload and execute it after it is dropped. An array of hundreds of elements is used in the macro to segment the .inf payload.

After the macro is run, the payload will be stored in temp and the advpack.dll will be used to execute the payload.

The final payload for BitRAT is downloaded and executed by this dll using a series of anti-debugging techniques. In order to download BitRAT embedded payloads from GitHub, it uses the WinHTTP library to download them into a directory named %temp%. 

In addition to starting the payload in %temp%, the dll also uses WinExec to exit. In mid-November, a GitHub repository was created for the sole purpose of hosting multiple payloads within the repository.

In recent years, the methodologies of commercially available off-the-shelf RATs have evolved significantly in terms of how they spread and infect their targets.

A number of legitimate infrastructures are being used by hackers today to host their payloads. In short, defenders need to keep an active eye on this.

Secure Web Gateway – Web Filter Rules, Activity Tracking & Malware Protection – Download Free E-Book

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.