Israel-based fintech firms that develop cryptocurrency trading and forex-related products have reportedly been targeted by malicious malware programs.

This, according to a recent blog post (published on March 19th) by Unit 42, the threat discovery and research division of Palo Alto Networks, a cybersecurity firm. As explained in Unit 42’s detailed post, the researchers first discovered an older version of the malware scripts, known as Cardinal RAT, in April 2017.

After being uncovered two years back, security threats related to Cardinal RAT have now been found in software developed by two Israeli tech firms. As noted in Unit 42’s report, the malware was detected in proprietary forex and cryptocurrency trading programs. Referred to as the Remote Access Trojan (RAT), the malware allows attackers to remotely access and gain control of software programs.

In order to avoid detection, the creators of the latest version of the Cardinal RAT malware program have used sophisticated code obfuscation techniques. However, the Unit 42 research team was still reportedly able to discover the malicious malware scripts.

Malware Installs Keyloggers, Captures Screenshots Without Requiring Victim’s Consent

The malware was used to gain access to the victim’s private data, modify their system settings, and function as a reverse proxy that can execute commands (remotely) – while also being able to uninstall itself. The malware scripts can also be used to obtain users’ passwords and the attacker is able to download and execute files on their operating system (without their consent).

Additionally, the malware can function as a keylogger, capture screenshots on the victim’s computer, install updates without requiring permission, and automatically remove cookies from the user’s browser (to avoid detection). As explained by Unit 42’s researchers, the malware has been used to target forex and crypto-related software created by fintech companies.

EVILNUM Malware Uses Similar Attack Vectors 

Unit 42’s report further noted that its researchers found a similarity between a malware program written in JavaScript, called EVILNUM, and Cardinal RAT. According to the research team’s analysis, both Cardinal RAT and EVILNUM have been used previously to launch attacks against software designed by fintech firms.

As described by Unit 42’s researchers, EVILNUM malware is also able to execute commands on users’ operating systems without them noticing or requiring permission. EVILNUM is also similar to Cardinal RAT as both are able to download files and take screenshots on the victim’s computers without their consent.