View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
September 4, 2020

UK, European Banks, Fintechs Being Targeted with Malicious KYC Docs

"This innovation in tactics and tools has helped the group stay under the radar"

By Matthew Gooding

A new Python-based remote access trojan (RAT) is being deployed by a sophisticated hacking group — which is using fake Know Your Customer (KYC) documents to attack financial services firms across the EU and UK.

The PyVil RAT has been developed by Evilnum, an advanced persistent threat (APT) group. The group has been tracked since 2018 by researchers from Boston-based Cybereason, who say the toolkit is a new one from the group — which is also expanding its command and control infrastructure rapidly.

The RAT lets attackers exfiltrate data, perform keylogging, take screenshots and steal credentials by using supplementary secondary tools. It is being delivered via a phishing attack comprising a single LNK file masquerading as a PDF which contains a range of ID documents like driving license shots and utility bills.

When the LNK file is executed, a JavaScript file is written to disk and executed, replacing the LNK file with a PDF. After a few steps (detailed in Cybereason’s graphic below) the malware drops a ddpp.exe executable masquerading as a version of “Java(™) Web Start Launcher”; modified to execute malicious code. (The executable is unsigned, but otherwise has similar metadata to the real deal).

Read This: QSnatch Malware – 62,000 Devices Infected

“The Evilnum group employed different types of tools along its career, including JavaScript and C# Trojans, malware bought from the malware-as-a-service Golden Chickens, and other existing Python tools,” the Cybereason researchers note.

“In recent weeks we observed a significant change in the infection procedure of the group, moving away from the JavaScript backdoor capabilities, instead utilizing it as a first stage dropper for new tools down the line. During the infection stage, Evilnum utilized modified versions of legitimate executables in an attempt to stay stealthy and remain undetected by security tools.”

Now With Added RAT

The PyVil RAT is compiled in the py2exe Python extension, which converts Python scripts into Windows executables.

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

According to the researchers, extra layers of code hide the RAT within py2exe.

“Using a memory dump, we were able to extract the first layer of Python code,” the report says. The first piece of code decodes and decompresses the second layer of Python code. The second layer of Python code decodes and loads to memory the main RAT and the imported libraries.”

PyVil RAT

PyVil’s global variables demonstrate the malware’s capabilities (image: Cybereason)

It has a configuration module that holds the malware’s version, C2 domains, and user agents to use when communicating with the C2.

“C2 communications are done via POST HTTP requests and are RC4 encrypted using a hardcoded key encoded with base64,” the research explains.

“This encrypted data contains a Json of different data collected from the machine and configuration.

“During the analysis of PyVil RAT, on several occasions, the malware received from the C2 a new Python module to execute. This Python module is a custom version of the LaZagne Project which the Evilnum group has used in the past. The script will try to dump passwords and collect cookie information to send to the C2.”

How To Stop It

Cybereason suggests strengthening remote access interfaces (such as RDP, SSH) to help keep Evilnum at bay, as well as considering social engineering training for staff: “This innovation in tactics and tools is what allowed the group to stay under the radar, and we expect to see more in the future as the Evilnum group’s arsenal continues to grow,” the report concludes.

IOCs are here [pdf].

Check This Out: Trojan Mobile Banking Bot Uncovered by Researchers

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU