A recently discovered remote access Trojan (RAT) that abuses Excel macros in an innovative way has been active for more than two years, Palo Alto Networks security researchers reveal.
Dubbed Cardinal RAT, the malware had a very low volume over the two-year timeframe, with only 27 total samples found to date. The manner in which the threat is delivered, however, is both innovative and unique: malicious macros in Microsoft Excel documents are used to compile embedded C# (C Sharp) source code into an executable that downloads the RAT.
The delivery documents, which the Palo Alto Networks researchers refer to as the Carp downloader, use various financial-related lures to trick users into executing them. The malicious macros were designed to generate two paths, to a randomly named executable, and to a randomly named C# file in the %APPDATA%\\Microsoft folder.
Next, it base64-decodes the embedded C# source code and writes it to the C# file path, after which it compiles and executes the C# source code using the Microsoft Windows built-in csc.exe utility. The executed code simply downloads the Cardinal RAT from secure.dropinbox[.]pw using HTTP on port 443 (not HTTPS), decrypts it using AES-128, and then executes it.
The malware was named Cardinal RAT based on the internal names used by the author within the observed Microsoft .NET Framework executables, the security researchers reveal. Because only 27 unique samples of the RAT have been found, the malware managed to remain hidden although some of these samples are dating back to December 2015.
When executed on an infected system, the malware checks its current working directory and enters an installation routine if the directory doesn’t match the expected path. The threat copies itself to a randomly named executable in the specified directory, after which it compiles and executes embedded source code featuring watchdog functionality.
The newly spawned executable ensures that a specific registry key is set, and periodically queries the key to verify it is set appropriately and to re-set it if it has been deleted. This key acts as a persistence mechanism, as it ensures the RAT is executed every time a user logs on.
The watchdog process checks that the Cardinal RAT process is always running and that the executable is located in the correct path. If one of these conditions isn’t met, it either spawns a new instance of Cardinal RAT, or writes the malware to the correct location.
After completing the installation routine, the RAT injects itself into a newly spawned process, attempting to use one of six executables for this process: RegAsm.exe, RegSvcs.exe, vbc.exe, csc.exe, AppLaunch.exe, or cvtres.exe.
Some of the malware samples are configured with a single command and control (C&C) server, while others use multiple host and port combinations. Cardinal RAT parses a configuration, then attempts to connect to the C&C. Data is transmitted in two pieces: a DWORD specifying the data length, and the data itself, encrypted using a series of XOR and addition operations, followed by decompression using the ZLIB library, Palo Alto Networks reveals.
The RAT sends a wealth of information to the server, including username, hostname, campaign identifier, Microsoft Windows version, victim unique identifier, processer architecture, and malware version (1.4). It was designed to collect victim information, update settings and itself, act as a reverse proxy, execute commands, uninstall itself, recover passwords, download and execute new files, log keys, capture screenshots, and clean cookies from browsers.