{
	"id": "d018d13a-9217-441a-bdea-e40c713fe39e",
	"created_at": "2026-04-06T00:07:58.879546Z",
	"updated_at": "2026-04-10T03:20:01.262447Z",
	"deleted_at": null,
	"sha1_hash": "58aacc28b30d5aca946e2d978f9b44bfab006455",
	"title": "BitRAT Now Sharing Sensitive Bank Data as a Lure",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3002828,
	"plain_text": "BitRAT Now Sharing Sensitive Bank Data as a Lure\r\nBy Akshat Pradhan\r\nPublished: 2023-01-03 · Archived: 2026-04-05 19:24:02 UTC\r\nIntroduction\r\nIn June of 2022 Qualys Threat Research Unit (TRU) wrote an in-depth report on Redline, a commercial off the\r\nshelf infostealer that spreads via fake cracked software hosted on Discord’s content delivery network. Since then,\r\nwe have continued to track similar threats to identify their evolving capabilities. In this blog, we will highlight our\r\nfindings on another commercial off the shelf malware – BitRAT.\r\nBitRAT is a fairly recent, notorious remote access trojan (RAT) marketed on underground cybercriminal web\r\nmarkets and forums since Feb 2021. The RAT is particularly well known for its social media presence and\r\nfunctionality such as: \r\n1. Data exfiltration \r\n2. Execution of payloads with bypasses.\r\n3. DDoS \r\n4. Keylogging \r\n5. Webcam and microphone recording \r\n6. Credential theft\r\n7. Monero mining \r\n8. Running tasks for process, file, software, etc. \r\nThese features along with its relatively low cost of 20$ make BitRAT a pervasive threat. \r\nBreach details \r\nWhile investigating multiple lures for BitRAT we identified that, an adversary had hijacked a Columbian\r\ncooperative bank’s infrastructure. Moreover, the lures themselves contain sensitive data from the bank to make\r\nthem appear legitimate. This means that the attacker has gotten access to customers’ data. While digging deeper\r\ninto the infrastructure we identified logs that point to the usage of the tool sqlmap to find potential SQLi faults,\r\nalong with actual database dumps. Overall, 4,18,777 rows of sensitive data have been leaked of customers with\r\ndetails such as Cedula numbers (Columbian national ID), email addresses, phone numbers, customer names,\r\npayment records, salary, address etc. As of today, we have not found this information shared on any of our\r\ndarkweb/clearweb monitored lists. \r\nWe are following standard breach disclosure guidelines with the identified victims and will update this article with\r\nadditional data as things progress.  \r\nThe data from the tables was reused in Excel maldocs as well as part of the database dump. \r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2023/01/03/bitrat-now-sharing-sensitive-bank-data-as-a-lure\r\nPage 1 of 6\n\nFig.1 Excel Maldocs\r\nThese Excel sheets act as lures for BitRAT. All of them are authored by “Administrator”. \r\nSample Analysis  \r\nThe excel contains a highly obfuscated macro that will drop an inf payload and execute it. The .inf payload is\r\nsegmented into hundreds of arrays in the macro. The de-obfuscation routine performs arithmetic operations on\r\nthese arrays to rebuild the payload. The macro then writes the payload to temp and executes it via advpack.dll. \r\nFig.2 Macro content\r\nThe .inf file contains a hex encoded second stage dll payload which is decoded via certutil, written to %temp%\\\r\nand executed by rundll32. The temp files are then deleted.\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2023/01/03/bitrat-now-sharing-sensitive-bank-data-as-a-lure\r\nPage 2 of 6\n\nFig.3 inf payload \r\nThis dll uses various anti-debugging techniques to download and execute the final BitRAT payload. It uses the\r\nWinHTTP library to download BitRAT embedded payloads from GitHub to the %temp% directory. \r\nFig.4 Writing BitRAT from GitHub. \r\nThe dll then uses WinExec to start the %temp% payload and exits. The GitHub repository was created in mid-November and the account is a throwaway created just to host multiple payloads.\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2023/01/03/bitrat-now-sharing-sensitive-bank-data-as-a-lure\r\nPage 3 of 6\n\nFig.5 Adversary GitHub profile \r\nFig.6 Adversary GitHub repository \r\nEach of these files are BitRAT loader samples obfuscated via DeepSea. The BitRAT sample is embedded into the\r\nloaders and is obfuscated via SmartAssembly. The loader decodes the binary and reflectively loads them. \r\nFig.7 BitRAT obfuscation \r\nThey also contain hijacked resources from two different companies to appear legitimate. \r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2023/01/03/bitrat-now-sharing-sensitive-bank-data-as-a-lure\r\nPage 4 of 6\n\nFig.8 Hijacked resources \r\nThe BitRAT sample starts and relocates the loader to user’s startup for persistence. It has the following\r\nconfiguration:\r\n\"Host\": \"\u003cC2 IP\u003e\",\r\n\"Port\": \"7722\",\r\n\"Tor Port\": \"0\",\r\n\"Install Dir\": \"0\",\r\n\"Install File\": \"0\",\r\n\"Communication Password\": \"c4ca4238a0b923820dcc509a6f75849b\",\r\n\"Tor Process Name\": \"tor\"\r\nFig.9 BitRAT C2 \r\nConclusion \r\nCommercial off the shelf. RATs have been evolving their methodology to spread and infect their victims. They\r\nhave also increased the usage of legitimate infrastructures to host their payloads and defenders need to account for\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2023/01/03/bitrat-now-sharing-sensitive-bank-data-as-a-lure\r\nPage 5 of 6\n\nit. We at Qualys Threat Research Unit will continue to monitor and document such threats to understand their\r\nevolving TTPs. \r\nQualys solutions \r\nQualys provides a whole suite of solutions to help protect your environment against advanced threats like\r\nBitRAT. \r\nQualys Multi-Vector Endpoint Detection and Response (EDR) is a dynamic detection and response service\r\npowered by the Qualys Cloud Platform. Qualys Multi-Vector EDR detects malware like BitRAT by unifying\r\nmultiple context vectors to spot its insertion into a network endpoint. Qualys Cloud Platform provides asset\r\nmanagement, vulnerability detection, policy compliance, patch management, and file integrity monitoring\r\ncapabilities – all delivered with a single agent and cloud-based delivery for a lower total cost of ownership. \r\nQualys External Attack Surface Management (EASM) enables organizations to continuously monitor and reduce\r\nthe entire enterprise attack surface including internal and internet-facing assets and discover previously\r\nunidentified exposures. It also helps synchronize with CMDBs, detect security gaps like unauthorized or end-of-support software, open ports, remotely exploitable vulnerabilities, digital certificate issues, unsanctioned apps and\r\ndomains, and mitigate risk by taking appropriate actions. \r\nMITRE ATT\u0026CK® Mapping \r\nT1071.001 Application Layer Protocol: Mail Protocols\r\nT1102 Web Service \r\nT1218.011 System Binary Proxy Execution: Rundll32 \r\nT1218 System Binary Proxy Execution \r\nT1584 Compromise Infrastructure\r\nT1059.003 Command and Scripting Interpreter: Windows Command Shell \r\nT1140 Deobfuscate/Decode Files or Information \r\nT1204.002 User Execution: Malicious File \r\nT1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder \r\nSource: https://blog.qualys.com/vulnerabilities-threat-research/2023/01/03/bitrat-now-sharing-sensitive-bank-data-as-a-lure\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2023/01/03/bitrat-now-sharing-sensitive-bank-data-as-a-lure\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://blog.qualys.com/vulnerabilities-threat-research/2023/01/03/bitrat-now-sharing-sensitive-bank-data-as-a-lure"
	],
	"report_names": [
		"bitrat-now-sharing-sensitive-bank-data-as-a-lure"
	],
	"threat_actors": [],
	"ts_created_at": 1775434078,
	"ts_updated_at": 1775791201,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/58aacc28b30d5aca946e2d978f9b44bfab006455.pdf",
		"text": "https://archive.orkl.eu/58aacc28b30d5aca946e2d978f9b44bfab006455.txt",
		"img": "https://archive.orkl.eu/58aacc28b30d5aca946e2d978f9b44bfab006455.jpg"
	}
}