“This innovation in tactics and tools has helped the group stay under the radar”
A new Python-based remote access trojan (RAT) is being deployed by a sophisticated hacking group — which is using fake Know Your Customer (KYC) documents to attack financial services firms across the EU and UK.
The PyVil RAT has been developed by Evilnum, an advanced persistent threat (APT) group. The group has been tracked since 2018 by researchers from Boston-based Cybereason, who say the toolkit is a new one from the group — which is also expanding its command and control infrastructure rapidly.
The RAT lets attackers exfiltrate data, perform keylogging, take screenshots and steal credentials by using supplementary secondary tools. It is being delivered via a phishing attack comprising a single LNK file masquerading as a PDF which contains a range of ID documents like driving license shots and utility bills.
Now With Added RAT
The PyVil RAT is compiled in the py2exe Python extension, which converts Python scripts into Windows executables.
According to the researchers, extra layers of code hide the RAT within py2exe.
“Using a memory dump, we were able to extract the first layer of Python code,” the report says. The first piece of code decodes and decompresses the second layer of Python code. The second layer of Python code decodes and loads to memory the main RAT and the imported libraries.”
It has a configuration module that holds the malware’s version, C2 domains, and user agents to use when communicating with the C2.
“C2 communications are done via POST HTTP requests and are RC4 encrypted using a hardcoded key encoded with base64,” the research explains.
“This encrypted data contains a Json of different data collected from the machine and configuration.
“During the analysis of PyVil RAT, on several occasions, the malware received from the C2 a new Python module to execute. This Python module is a custom version of the LaZagne Project which the Evilnum group has used in the past. The script will try to dump passwords and collect cookie information to send to the C2.”
How To Stop It
Cybereason suggests strengthening remote access interfaces (such as RDP, SSH) to help keep Evilnum at bay, as well as considering social engineering training for staff: “This innovation in tactics and tools is what allowed the group to stay under the radar, and we expect to see more in the future as the Evilnum group’s arsenal continues to grow,” the report concludes.
IOCs are here [pdf].