<<< Hide Navigation Hide TOC >>>
Cardinal RAT (1d9fbf33-faea-40c1-b543-c7b39561f0ff)
Palo Alto Networks has discovered a previously unknown remote access Trojan (RAT) that has been active for over two years. It has a very low volume in this two-year period, totaling roughly 27 total samples. The malware is delivered via an innovative and unique technique: a downloader we are calling Carp uses malicious macros in Microsoft Excel documents to compile embedded C# (C Sharp) Programming Language source code into an executable that in turn is run to deploy the Cardinal RAT malware family. These malicious Excel files use a number of different lures, providing evidence of what attackers are using to entice victims into executing them.
Cluster A![]() |
Galaxy A![]() |
Cluster B![]() |
Galaxy B![]() |
Level![]() |
---|---|---|---|---|
EVILNUM (e1ca79eb-5629-4267-bb37-3992c7126ef4) | Tool | Cardinal RAT (1d9fbf33-faea-40c1-b543-c7b39561f0ff) | Tool | 1 |
Cardinal RAT (3d3da4c0-004c-400c-9da6-f83fd35d907e) | Malpedia | Cardinal RAT (1d9fbf33-faea-40c1-b543-c7b39561f0ff) | Tool | 1 |
EVILNUM (e1ca79eb-5629-4267-bb37-3992c7126ef4) | Tool | Cardinal (cb23f563-a8b9-4427-9884-594e8d3cc836) | RAT | 2 |