Cardinal is a remote access trojan (RAT) discovered by Palo Alto Networks in 2017 and has been active for over two years. It is delivered via a downloader, known as Carp, and uses malicious macros in Microsoft Excel documents to compile embedded C# programming language source code into an executable that runs and deploys the Cardinal RAT. The malicious Excel files use different tactics to get the victims to execute it.
The RAT retrieves and uploads victim information to the C2 server, including:
Microsoft Windows version
Victim unique identifier
Cardinal has a number of features, including:
Collect victim information
Act as a reverse proxy
Download and execute new files
Update Cardinal RAT
Clean cookies from browsers
March 2019: Cardinal targets fintech and cryptocurrency trading companies to harvest credentials, passwords, and other confidential information. Also includes introduction of obfuscation techniques to hide the underlying code. (Unit 42 of Palo Alto Networks)
Palo Alto Networks provides technical analysis on the Cardinal RAT, available here.