Attackers use stolen banking data as phishing lure to deploy BitRAT

In a case that highlights how attackers can leverage information from data breaches to enhance their attacks, a group of attackers is using customer information stolen from a Colombian bank in phishing attacks with malicious documents, researchers report. The group, which might have been responsible for the data breach in the first place, is distributing an off-the-shelf Trojan program called ​​BitRAT that has been sold on the underground market since February 2021.

Stolen data used to add credibility to future attacks

Researchers from security firm Qualys spotted the phishing lures that involved Excel documents with malicious documents but appeared to contain information about real people. Looking more into the information, it appeared the data was taken from a Colombian cooperative bank. After looking at the bank’s public web infrastructure, researchers found logs that suggested the sqlmap tool was used to perform an SQL injection attack. They also found database dump files that attackers created.

“Overall, 418,777 rows of sensitive data have been leaked of customers with details such as Cedula numbers (Columbian national ID), email addresses, phone numbers, customer names, payment records, salary, address, etc.,” the researchers said in their report. “As of today, we have not found this information shared on any of our darkweb/clearweb monitored lists.”

Sometimes attacker groups buy data on the dark web, but since this data didn’t appear in any public offerings it means it was either a private sale or the attackers behind the phishing attacks obtained it themselves.

This is a clear example of a threat that researchers have long warned about following any data breach: Even if the stolen data doesn’t appear to have immediate value or can be easily exploited for monetary gain or for account access, attackers can still use such data to add credibility to other attacks. Users are much more likely to fall for an email that includes personal information that only their bank or a trusted service provider will have.

Multi-stage droppers

The dropper mechanism in the Excel files is fairly sophisticated. First, a highly obfuscated macro script hidden inside the file is executed and generates an .inf file from hundreds of arrays that are reconstructued using arithmetic operations. The final .inf file is then executed using advpack.dll, a library that assists with hardware and software installs by reading and verifying .INF files.

Copyright © 2023 IDG Communications, Inc.