Unit 42, Palo Alto Networks’ research arm, have discovered a previously unknown remote access Trojan (RAT) that has been active for over two years. This campaign is extremely limited with only 27 samples total identified over a two-year period.
The research shows that the majority of the lures are financial-related, describing various fake customer lists for various organisations. Based on the similarities witnessed in some, it appears that the attackers use a template, where they simply swap specific cells with the pertinent images or information.
The malware is delivered via an innovative and unique technique: a downloader, which Unit 42 have called Carp, that uses malicious macros in Microsoft Excel documents to compile embedded C# source code into an executable that in turn is run to deploy the Cardinal RAT malware family. These malicious Excel files use a number of different lures, providing evidence of what attackers are using to entice victims into executing them.
The link below shows examples of how the Carb Downloader works.
For more details, please see the Unit 42 blog here: