Author: Yadu Nadh
On 10 May, Infoblox observed a malicious email campaign that used weaponized Microsoft Excel spreadsheets (XLS) that exploited CVE-2017-118821 to deliver BitRAT, a remote access trojan (RAT).
BitRAT, first observed in late 2020, is a newcomer to the malware scene. Poor coding practices found within the malware signal inexperience from the developers, as large sections of the code appear to be copied and pasted from another trojan called TinyNuke, as well as from a variety of open source projects.2
Threat actors can purchase this malware on popular underground forums and have been observed distributing it via malicious XLS attachments in malspam.
BitRAT’s known capabilities include:
- SSL encryption,
- Cryptocurrency mining,
- Activating webcams,
- Downloading/uploading files,
- Controlling the victim’s machine remotely, and
- Communicating via TOR.3
In this campaign, threat actors used a biotechnology theme with the subject line new deal for Biotechnologyinc-CN#324708. The emails contained a message body referencing a “new deal” to lure unsuspecting users to download and open the attachment, named Biotechnologyinc-CN#324708.xlsx.
Infoblox’s full report on this campaign will be available soon on our Threat Intelligence Reports page.