Evilnum group targets FinTech firms with new Python-based RAT



Evilnum, a group known for targeting financial technology companies, has added new malware and infection tricks to its arsenal, researchers warn. The group is suspected of offering APT-style hacker-for-hire services to other entities, a growing and worrying trend that’s changing the threat landscape.

Evilnum appeared on the radar of security companies in 2018 when it started targeting FinTech companies throughout Europe with spear-phishing emails that try to pass malicious files as scans of credit cards, utility bills, ID cards, drivers licenses and other identity verification documents required by know-your-customer (KYC) regulations in the financial sector.

The emails included links to ZIP archives hosted on Google Drive that contained specially crafted Windows shortcut files (LNK) posing as JPG images. The LNK files had malicious JavaScript code attached to them which, if executed, started an infection chain resulting in the deployment of a JavaScript-based Trojan.

Researchers from security firm Cybereason have recently observed some changes in Evilnum’s techniques. Instead of multiple LNK files masquerading as pictures, the group’s ZIP archives now contain a single LNK file that poses as a PDF document with scans of the required KYC documents. This LNK file also has JavaScript attached to it, but the code only serves as a dropper and instead of a full-blown JavaScript-based Trojan, and it deploys a new malware program written in Python.

How the PyVil RAT works

The new Python malware, dubbed PyVil RAT by Cybereason, provides hackers with several capabilities including:

  • Keylogging
  • Executing commands
  • Taking screenshots
  • Downloading additional Python-based scripts that act as modules
  • Downloading and uploading executables
  • Opening SSH shells
  • Collecting information about the system and installed programs such as antivirus, Google Chrome version or the connected USB devices

Malware written in Python is not a new development but is not common. Python is a scripting language that’s popular with security professionals and hackers alike on Linux systems, but it does not execute natively on Windows and needs a separate runtime environment, similar to Java. Python programs can be compiled directly into Windows executables that are self-contained, but because they have to include all the libraries usually provided by the runtime, their size ends up being quite large and this is something that’s not appealing to malware authors.

Copyright © 2020 IDG Communications, Inc.


Source link