A new Python-based remote access trojan (RAT) is being deployed by a sophisticated hacking group — which is using fake Know Your Customer (KYC) documents to attack financial services firms across the EU and UK.
The PyVil RAT has been developed by Evilnum, an advanced persistent threat (APT) group. The group has been tracked since 2018 by researchers from Boston-based Cybereason, who say the toolkit is a new one from the group — which is also expanding its command and control infrastructure rapidly.
The RAT lets attackers exfiltrate data, perform keylogging, take screenshots and steal credentials by using supplementary secondary tools. It is being delivered via a phishing attack comprising a single LNK file masquerading as a PDF which contains a range of ID documents like driving license shots and utility bills.
When the LNK file is executed, a JavaScript file is written to disk and executed, replacing the LNK file with a PDF. After a few steps (detailed in Cybereason’s graphic below) the malware drops a ddpp.exe executable masquerading as a version of “Java(™) Web Start Launcher”; modified to execute malicious code. (The executable is unsigned, but otherwise has similar metadata to the real deal).
Read This: QSnatch Malware – 62,000 Devices Infected
“The Evilnum group employed different types of tools along its career, including JavaScript and C# Trojans, malware bought from the malware-as-a-service Golden Chickens, and other existing Python tools,” the Cybereason researchers note.
“In recent weeks we observed a significant change in the infection procedure of the group, moving away from the JavaScript backdoor capabilities, instead utilizing it as a first stage dropper for new tools down the line. During the infection stage, Evilnum utilized modified versions of legitimate executables in an attempt to stay stealthy and remain undetected by security tools.”
Now With Added RAT
The PyVil RAT is compiled in the py2exe Python extension, which converts Python scripts into Windows executables.
Content from our partners
According to the researchers, extra layers of code hide the RAT within py2exe.
“Using a memory dump, we were able to extract the first layer of Python code,” the report says. The first piece of code decodes and decompresses the second layer of Python code. The second layer of Python code decodes and loads to memory the main RAT and the imported libraries.”
PyVil’s global variables demonstrate the malware’s capabilities (image: Cybereason)
It has a configuration module that holds the malware’s version, C2 domains, and user agents to use when communicating with the C2.
“C2 communications are done via POST HTTP requests and are RC4 encrypted using a hardcoded key encoded with base64,” the research explains.
“This encrypted data contains a Json of different data collected from the machine and configuration.
“During the analysis of PyVil RAT, on several occasions, the malware received from the C2 a new Python module to execute. This Python module is a custom version of the LaZagne Project which the Evilnum group has used in the past. The script will try to dump passwords and collect cookie information to send to the C2.”
How To Stop It
Cybereason suggests strengthening remote access interfaces (such as RDP, SSH) to help keep Evilnum at bay, as well as considering social engineering training for staff: “This innovation in tactics and tools is what allowed the group to stay under the radar, and we expect to see more in the future as the Evilnum group’s arsenal continues to grow,” the report concludes.
IOCs are here [pdf].
