Cardinal

Cardinal is a remote access trojan (RAT) discovered by Palo Alto Networks in 2017 and has been active for over two years. It is delivered via a downloader, known as Carp, and uses malicious macros in Microsoft Excel documents to compile embedded C# programming language source code into an executable that runs and deploys the Cardinal RAT. The malicious Excel files use different tactics to get the victims to execute it. 

The RAT retrieves and uploads victim information to the C2 server, including:

  • Username
  • Hostname
  • Campaign Identifier
  • Microsoft Windows version
  • Victim unique identifier
  • Processor architecture
  • Malware version

Cardinal has a number of features, including:

  • Collect victim information
  • Update settings
  • Act as a reverse proxy
  • Execute command
  • Uninstall itself
  • Recover passwords
  • Download and execute new files
  • Keylogging
  • Capture screenshots
  • Update Cardinal RAT
  • Clean cookies from browsers

Technical Details

  • Palo Alto Networks provides technical analysis on the Cardinal RAT, available here.