Israeli fintech firms associated with forex and crypto trading appeared to be potential targets of malware, according to an update by the online threat research team Unit 42, a department of the US-based cybersecurity firm Palo Alto Network on March 19th.

As said in the report, Unit 42 first came in contact with the Cardinal RAT – a predecessor to the current one – during their analysis of the raids on 2 Israel-based fintech companies associated with advancing forex and digital assets trading software. This software is called Remote Access Trojan (RAT), specifically built to help hackers infiltrate the systems from afar. 

This new version of the former Cardinal RAT possesses distinctive features that help it avoid exposure from analysis. The Unit 42 team further notified that the new malware is not actually that much different from the previous Cardinal RAT, regarding its modus operandi or capabilities.

After finished gathering targets’ information, the new malware changed its setting to work as a reverse proxy and moved on to carry out commands and finally, self-uninstalled. It then recovers passwords, downloads and executes files, logs keypresses, captures screenshots, updates itself and cleans cookies from browsers.

The Unit 42 team also provided evidence that links Cardinal RAT to a JavaScript-based malware called EVILNUM, also designed to target forex and crypto trading institution. Specifically, EVILNUM has appeared numerous times in a few malware attack cases filed by customers in the same period with Cardinal RAT.

The research team emphasized that the new malware is exclusively designed to attack fintech companies. Upon analysing the data, the Unit 42 team came across a case with both Cardinal RAT and EVILNUM present, which is noteworthy because of their rarity.

Early this February, The Crypto Sight reported a crypto malware lurking in a fake MetaMask app available on Google Play. This application replaces the original intended address with that of the attacker’s to divert the funds there instead.