Hacking and malware have always been one of the main concerns of the cryptocurrency area. Recently, Palo Alto’s research division, Unit 42, detected malware targeting two Israeli fintech and cryptocurrency software trading companies. Cardinal RAT malware aka Remote Access Trojan, which was first discovered in 2017, was the malware in question.
Trojan Remote Access virus allows full remote control of the device. The trojan is operating in silence. The software would collect all the target data and then wipe its presence from the device by uninstalling the applications completely. The malware steals the data before wiping itself clean by storing key presses and sending offsite data through the internet.
The researchers also suggested that in terms of their mode of operation and capabilities, the payload of the latest version of Cardinal RAT does not differ significantly from the original. It is reported that when RAT enters a victim’s computer, it rapidly steals vital data, updates its settings, acts as a reverse proxy, and executes malicious commands before it finally deletes itself from the system. That’s not all; once the above processes are done, Cardinal skillfully moves on to recover the victim’s passwords, downloads and executes files, logs keypresses, takes screenshots, updates itself automatically and clears all cookies on the user’s browser.
In a blog report, the cybersecurity firm Palo Alto Networks revealed that Israel’s fintech and cryptocurrency trading firms have been targeting a malware called Cardinal RAT since 2017. Research department Unit 42 revealed that since the first surface of the malware at least two known large – scale attacks have occurred on Israeli fintech firms.
According to Unit42, an older version of the Cardinal RAT malware was first discovered in April 2017 as it attempted to investigate the cause of an attack on two Israeli firms developing crypto and forex trading software.
Reportedly, since it was first discovered, the research division continued to focus on the malware. This is why they were able to spot a series of attacks using an updated version of Cardinal RAT. In addition, the report stated that a series of modifications could have been made to “evade detection” in the RAT, as well as hindering the analysis.
The report added that the attacker could access the victim’s personal information with this malware, capture screenshots, clean browser cookies, uninstall itself from the victim device, execute commands, retrieve passwords, download and execute new files, and update settings.
Although the details of the two firms building software for Forex and cryptocurrency trading firms are not revealed, the implications of this malware attack may be harmful. This fully depends on the major operations of the platform, such as whether they had customer information stored in their devices. In a statement to thenextweb, Unit 42 stated,
“through lure documents attached to spam messages sent to individuals thought to operate as Forex and cryptocurrency traders, the malicious files find their way into machines.”