Note that we have prefixed the function names with ‘xx_’ to make it easier for the reader to understand what is going on. We observed the following example macro in the most recent sample. We are calling these delivery documents the Carp Downloader, as they make use of a specific technique of compiling and executing embedded C# (CshARP) language source code that acts as a simple downloader. The malware from start to finish exhibits the following high level operations as shown in Figure 1:įigure 1 Malware execution flow Carp DownloaderĪs previously mentioned, we have observed Cardinal RAT being delivered using a unique technique involving malicious Excel macros. These malicious Excel files use a number of different lures, providing evidence of what attackers are using to entice victims into executing them. The malware is delivered via an innovative and unique technique: a downloader we are calling Carp uses malicious macros in Microsoft Excel documents to compile embedded C# (C Sharp) Programming Language source code into an executable that in turn is run to deploy the Cardinal RAT malware family. It has a very low volume in this two-year period, totaling roughly 27 total samples. Palo Alto Networks has discovered a previously unknown remote access Trojan (RAT) that has been active for over two years.
0 Comments
Leave a Reply. |