A new malware campaign has been observed using sensitive information stolen from banks as bait in phishing emails to drop a remote access Trojan called BitRAT.
An unknown attacker hijacked her IT infrastructure for a Colombian credit union and used the information to create a convincing decoy message to trick the victim into opening her suspicious Excel attachment is thought to have opened .
The discovery comes from cybersecurity firm Qualys, who found evidence of a database dump containing 418,777 records allegedly obtained by exploiting a SQL injection bug.

The leaked details included Cedura numbers (national ID documents issued to Colombian citizens), email addresses, phone numbers, client names, payment records, salary details, addresses, and more.

There is no evidence that the information was previously shared on dark or clear web forums, suggesting that the attackers themselves accessed customer data to carry out phishing attacks.

Excel files containing exfiltrated banking data also embed macros used to download second stage DLL payloads configured to retrieve and execute BitRAT on compromised hosts .

 

Qualys researcher Akshat Pradhan said, “We use the WinHTTP library to download the embedded BitRAT payload from GitHub to the %temp% directory.

Commercial malware available on underground forums for as little as $20, BitRAT contains data

“Commercial off-the-shelf RATs have evolved the methods of spreading and infecting victims. ” said Pradhan. “They are also increasing their use of legitimate infrastructure to host their payloads, and defenders must take responsibility for that.”