--- title: "BitRAT Malware Threat Actors Leveraging Stolen Columbian Cooperative Bank Data in Phishing Campaign | Phish Protection" description: "The BitRAT malware was used to target the Columbian Cooperative Bank, where the threat actors made away with records of over 400,000 individuals." image: "https://phishprotection.com/og/blog/bitrat-malware-threat-actors-leveraging-stolen-columbian-cooperative-bank-data-in-phishing-campaign.png" canonical: "https://phishprotection.com/blog/bitrat-malware-threat-actors-leveraging-stolen-columbian-cooperative-bank-data-in-phishing-campaign/" --- Quick Answer The BitRAT malware was used to target the Columbian Cooperative Bank, where the \*\*threat actors\*\* made away with records of over 400,000 individuals. The threat actors are using the information from these records for a massive \[spear phishing\](/content/phishing-prevention/spear-phishing-examples/) campaign. This text sheds light on the event, shares what BitRAT is, the BitRAT Columbian Cooperative Bank breach, an analysis of the latest BitRAT sample, why BitRAT is a grave threat, and shares how organizations can protect against BitRAT malware. Share [ ](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fphishprotection.com%2Fblog%2Fbitrat-malware-threat-actors-leveraging-stolen-columbian-cooperative-bank-data-in-phishing-campaign%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=BitRAT%20Malware%20Threat%20Actors%20Leveraging%20Stolen%20Columbian%20Cooperative%20Bank%20Data%20in%20Phishing%20Campaign&url=https%3A%2F%2Fphishprotection.com%2Fblog%2Fbitrat-malware-threat-actors-leveraging-stolen-columbian-cooperative-bank-data-in-phishing-campaign%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fphishprotection.com%2Fblog%2Fbitrat-malware-threat-actors-leveraging-stolen-columbian-cooperative-bank-data-in-phishing-campaign%2F "Share on Facebook") [ ](https://reddit.com/submit?url=https%3A%2F%2Fphishprotection.com%2Fblog%2Fbitrat-malware-threat-actors-leveraging-stolen-columbian-cooperative-bank-data-in-phishing-campaign%2F&title=BitRAT%20Malware%20Threat%20Actors%20Leveraging%20Stolen%20Columbian%20Cooperative%20Bank%20Data%20in%20Phishing%20Campaign "Share on Reddit") [ ](mailto:?subject=BitRAT%20Malware%20Threat%20Actors%20Leveraging%20Stolen%20Columbian%20Cooperative%20Bank%20Data%20in%20Phishing%20Campaign&body=Check out this article: https%3A%2F%2Fphishprotection.com%2Fblog%2Fbitrat-malware-threat-actors-leveraging-stolen-columbian-cooperative-bank-data-in-phishing-campaign%2F "Share via Email") ![Phish Protection blog post image](https://media.mailhop.org/phishprotection/images/2023/01/phishing-definition-7890.jpg) The BitRAT malware was used to target the Columbian Cooperative Bank, where the **threat actors** made away with records of over 400,000 individuals. The threat actors are using the information from these records for a massive [spear phishing](/content/phishing-prevention/spear-phishing-examples/) campaign. This text sheds light on the event, shares what BitRAT is, the BitRAT Columbian Cooperative Bank breach, an analysis of the latest BitRAT sample, why BitRAT is a grave threat, and shares how organizations can protect against BitRAT malware. It is common for malware campaigns to use [phishing techniques](/content/phishing-techniques/) to trick people into installing malware on their devices. But using stolen information for spear-phishing campaigns is a relatively **novel approach** implemented by threat actors behind the BitRAT malware campaign. The BitRAT malware has been used in attacks against government and private sector organizations, especially the **financial sector**. [Threat actors](/blog/threat-actors-using-russia-ukraine-conflict-to-launch-phishing-attacks/) are now employing the stolen banking credentials of individuals as **phishing** lures. Let us see what is happening in detail. ![Phishing definition](https://media.mailhop.org/phishprotection/images/2023/01/phishing-definition-7890.jpg) ### What is BitRAT? _BitRAT is a remote access trojan (RAT) that gives attackers complete control over the infected device._ It is typically spread through **phishing emails** containing links to download the malware. Once the link is clicked, and the [malware](/content/protection-against-malware/types-of-malware/) is downloaded, it can be used to steal sensitive information, monitor the victim’s activity, and take control of the **victim’s device**. BitRAT has been around since Feb 2021 , when it made its first appearance in the underground criminal web markets, and is **notorious** for its functionalities that come at a low price of $20 for a lifetime subscription, including: [Data exfiltration](https://en.wikipedia.org/wiki/Data%5Fexfiltration) Execution of payloads with bypasses. DDoS Keylogging Webcam and microphone recording Credential theft **Monero mining** Running tasks for processes, files, software, and more. ### The BitRAT Columbian Cooperative Bank Breach > “over 90% of ransomware attacks begin with a phishing email ([Verizon 2024 Data Breach Investigations Report](https://www.verizon.com/business/resources/reports/dbir/)) email. Blocking the phishing email is the most effective ransomware prevention strategy available - it stops the attack at the earliest possible stage, before any malware reaches your network. Every ransomware incident we’ve investigated started with an email that should have been caught.” - **Vasile Diaconu**, Operations Lead, DuoCircle While investigating BitRAT lures in active phishing campaigns, security researchers at Qualys[identified](https://blog.qualys.com/vulnerabilities-threat-research/2023/01/03/bitrat-now-sharing-sensitive-bank-data-as-a-lure)an undisclosed threat actor in the Columbian cooperative bank’s infrastructure. Qualys found records and logs pointing to the use of **sqlmap** to find potential SQLi faults and [data dumps](https://www.idstrong.com/sentinel/what-is-a-data-dump/) with over 400,000 records . The 418,777 records contained customer data, including names, contact numbers, email addresses, residential addresses, payment ledgers, salary information, and **Colombian national IDs**. All the data was reused in **Excel maldocs**, and the threat actors are using these Excel sheets as BitRAT lures. Furthermore, all Excel maldocs are authored by “Administrator” accounts. Qualys has not found any evidence of the stolen records being published on any of the [dark web](https://www.csoonline.com/article/3249765/what-is-the-dark-web-how-to-access-it-and-what-youll-find.html) or **clear web** lists they monitor but are still following all breach disclosure guidelines and will keep updating the victims. ### Columbian Cooperative Bank Breach: Analysis of the Latest BitRAT Malware Sample Qualys analyzed the Excel sheets and found highly obfuscated **macros** to drop payloads and execute them. - **_De-Obfuscation:_**The payload is a [.inf file](https://www.partitionwizard.com/partitionmanager/inf-file.html) that is distributed in the form of multiple arrays in the macro and requires a **de-obfuscation routine** that performs arithmetic operations to rebuild the payload. - **_Execution:_**Once the malware payload is rebuilt, the macro writes it to temp and executes it using the **advpack.dll file**. The .inf file also contains a [hex-encoded](http://fileformats.archiveteam.org/wiki/Hex%5Fencoding#:~:text=Hex%20encoding%20is%20a%20transfer,binary%20data%20in%20plain%20text.) dll (Dynamic Link Library) payload, which is the second stage and is decoded via certutil and written to temp. And the temp files are deleted after use. The dll uses advanced [anti-debugging](https://www.appsealing.com/anti-debugging/#:~:text=One%20of%20the%20common%20methods,to%20reverse%20engineer%20the%20code.) techniques to download the BitRAT payload from GitHub using the **WinHTTP library** and embeds the payload to the temp directory. Finally, the dll leverages WinExec to start the temp payload and exit. - **_GitHub Repository:_**The GitHub repository where the BitRAT payload appears to be created in mid-November, and the account behind the repository is an **anonymous** one created for hosting multiple payloads. These payloads are loader samples obfuscated via DeepSea with the BitRAT sample embedded into them, along with **hijacked resources** from enterprises to make them appear genuine. ### Why is BitRAT such a Significant Threat? The BitRAT malware is a **C++ written** malware with many advanced capabilities, such as: **_1\. Controller:_**BitRAT has a licensing protocol to determine if the individual running it is paying or not. This **.NET controller** is obfuscated with [Eazfuscator](https://learn.gapotchenko.com/eazfuscator.net/docs/what-is-eazfuscator.net) that sends an HTTP request to the server that responds with a base64 encoded string with the licensing information. If there is no valid license, **two requests** are made for the purchase order, and the payloads are built on the vendor’s server. **_2\. Payload:_**The payload of the BitRAT malware is written in Visual C++ with multiple libraries such as **Boost and libCURL**. The files store string pointers in an array, and [APIs (Application Programming Interfaces)](https://www.ibm.com/topics/api) are loaded directly. The malware also utilizes anti-debugging by leveraging NtSetInformationThread with ThreadHideFromDebugger. The payload is an advanced one with a command dispatcher, **HVNC** (Hidden Virtual Network Computing) and hidden browser, and a **UAC** (User Account Control) bypass. With such capabilities and low prices, the BitRAT malware is a significant threat to organizations and businesses worldwide, as low-level [cybercriminals](/blog/cybercriminals-are-duping-millions-of-accounts-in-the-latest-facebook-phishing-campaign/) can use it to carry out **malicious attacks** on a large scale without much expertise. The malware also includes: - **_Persistence:_**BitRAT uses the **BreakOnTermination** flag for persistence within the victim’s system and also attempts to elevate privileges. - **\_Webcam and Voice Recording: \_**BitRAT also has the ability to initiate webcam and voice recordings for spying on the victim and uses open-source libraries for the same. BitRAT uses [OpenCV](https://en.wikipedia.org/wiki/OpenCV) for capturing the webcam and an **altered** A. Riazi’s library for voice recording. ![Phishing prevention](https://media.mailhop.org/phishprotection/images/2023/01/phishing-prevention-7897.jpg) ### How to Protect Systems Against BitRAT Malware? BitRAT has been infamous for targeting **cryptocurrency users** by infecting their computers and stealing their private keys and login credentials. Now that it is attacking various enterprises, here are some steps you can take to protect yourself against BitRAT and other types of malware: - **_Keep your operating system and antivirus software up to date:_**Ensure you are running the latest version of your system and [antivirus](https://www.bleepingcomputer.com/news/security/antivirus-and-edr-solutions-tricked-into-acting-as-data-wipers/) software, as these often include security **updates** that can protect against new threats. - **_Be cautious when downloading files:_**Avoid downloading files from **unknown** sources, and be careful when opening email attachments, even if they seem to be from a trusted source. - **_Use a firewall:_**A [firewall](https://www.infosecurity-magazine.com/opinions/firewall-malware-challenges/) can help protect your computer by blocking incoming traffic from potentially harmful sources. - **_Avoid suspicious websites:_**Be careful when visiting unfamiliar websites, as they may lead you to download **malware-embedded software**. Following these steps can help **protect** yourself against BitRAT and other types of malware. > However, it’s important to note that no security measures are foolproof, so it’s essential to always **be vigilant** and aware of the risks. ### Final Words The BitRAT malware has been available on dark web markets for a long time, allowing cybercriminals to use the malware using their own approach and causing all kinds of harm. This **chained attack** of spreading the malware via phishing and using the stolen information for further phishing attacks might be new. Still, such ideas and new tactics are expected from cybercriminals **in 2023**. One thing organizations need to know from the BitRAT malware, and the attack on Columbian Cooperative Bank is that phishing remains the **top choice of cybercriminals** for malicious purposes, which is why organizations and businesses need [phishing protection](/). ## Topics [ Cybersecurity ](/tags/cybersecurity/)[ Phishing ](/tags/phishing/)[ Phishing Awareness ](/tags/phishing-awareness/) ![Brad Slavin](https://media.mailhop.org/phishprotection/images/authors/brad-slavin.jpg) [ Brad Slavin ](/authors/brad-slavin/) General Manager Founder and General Manager of DuoCircle. Product strategy and commercial lead across DuoCircle's 2,000+ customer base. [LinkedIn Profile →](https://www.linkedin.com/in/bradslavin) ## Protect your inbox from phishing attacks Real-time email security with 60-day free trial. No credit card required. [Start Free Trial](https://portal.duocircle.com/cart.php?a=add&pid=101&brand=phishprotection) [View Pricing](/pricing/) ## Related Articles [ Intermediate 5m American Airlines Suffers Employee Email Data Breach, Personal Information at Risk Oct 4, 2022 ](/blog/american-airlines-suffers-employee-email-data-breach-personal-information-risk/)[ Intermediate 5m Find Out About the Latest Case of Threat Actors Utilizing Phishing-as-a-Service to Steal $120,000 Feb 20, 2023 ](/blog/find-out-about-the-latest-case-of-threat-actors-utilizing-phishing-as-a-service-to-steal-120000/)[ Intermediate 5m GoDaddy Customers Beware: Hackers Have Been Stealing Source Code for Years Mar 6, 2023 ](/blog/godaddy-customers-beware-hackers-have-been-stealing-source-code-for-years/)[ Intermediate 5m The Latest Iran-aligned Hacker Phishing Campaign Targeting Middle Eastern Countries Jan 4, 2023 ](/blog/latest-iran-aligned-hacker-phishing-campaign-targeting-middle-eastern-countries/) ```json {"@context":"https://schema.org","@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://github.com/duocircle"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://phishprotection.com/contact/"},"knowsAbout":["Phishing Protection","Email Security","Anti-Phishing","Business Email Compromise","Ransomware Protection","Time of Click Protection","Office 365 Email Security","Advanced Threat Defense"]} ``` ```json {"@context":"https://schema.org","@type":"WebSite","name":"Phish Protection","url":"https://phishprotection.com","description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","publisher":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}} ``` ```json [{"@context":"https://schema.org","@type":"BlogPosting","headline":"BitRAT Malware Threat Actors Leveraging Stolen Columbian Cooperative Bank Data in Phishing Campaign","description":"The BitRAT malware was used to target the Columbian Cooperative Bank, where the threat actors made away with records of over 400,000 individuals.","url":"https://phishprotection.com/blog/bitrat-malware-threat-actors-leveraging-stolen-columbian-cooperative-bank-data-in-phishing-campaign/","datePublished":"2023-01-18T08:19:43.000Z","dateModified":"2026-04-17T15:43:10.000Z","dateCreated":"2023-01-18T08:19:43.000Z","author":{"@type":"Person","@id":"https://phishprotection.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://phishprotection.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. He founded DuoCircle in 2014 and has led the company's growth to 2,000+ customers across its email security product family. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/phishprotection/images/authors/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://github.com/duocircle"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://phishprotection.com/contact/"},"knowsAbout":["Phishing Protection","Email Security","Anti-Phishing","Business Email Compromise","Ransomware Protection","Time of Click Protection","Office 365 Email Security","Advanced Threat Defense"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://phishprotection.com/blog/bitrat-malware-threat-actors-leveraging-stolen-columbian-cooperative-bank-data-in-phishing-campaign/"},"articleSection":"intermediate","keywords":"Cybersecurity, Phishing, Phishing Awareness","wordCount":1228,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/phishprotection/images/2023/01/phishing-definition-7890.jpg","caption":"Phish Protection blog post image","width":1200,"height":630},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"FAQPage","mainEntity":[{"@type":"Question","name":"What is BitRAT?","acceptedAnswer":{"@type":"Answer","text":"BitRAT is a remote access trojan (RAT) that gives attackers complete control over the infected device._ It is typically spread through **phishing emails** containing links to download the malware. Once the link is clicked, and the [malware](/content/protection-against-malware/types-of-malware/) i..."}},{"@type":"Question","name":"Why is BitRAT such a Significant Threat?","acceptedAnswer":{"@type":"Answer","text":"The BitRAT malware is a **C++ written** malware with many advanced capabilities, such as:"}},{"@type":"Question","name":"How to Protect Systems Against BitRAT Malware?","acceptedAnswer":{"@type":"Answer","text":"BitRAT has been infamous for targeting **cryptocurrency users** by infecting their computers and stealing their private keys and login credentials. Now that it is attacking various enterprises, here are some steps you can take to protect yourself against BitRAT and other types of malware:"}}]}] ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://phishprotection.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://phishprotection.com/blog/"},{"@type":"ListItem","position":3,"name":"Intermediate","item":"https://phishprotection.com/intermediate/"},{"@type":"ListItem","position":4,"name":"BitRAT Malware Threat Actors Leveraging Stolen Columbian Cooperative Bank Data in Phishing Campaign","item":"https://phishprotection.com/blog/bitrat-malware-threat-actors-leveraging-stolen-columbian-cooperative-bank-data-in-phishing-campaign/"}]} ```