Dubbed PyVil, the new remote access trojan goes after passwords, documents, browser cookies, and email credentials, says Cybereason.
A new remote access trojan (RAT) is aiming at financial technology companies in the UK and European Union to capture sensitive information through keylogging and screen captures. Described in a Thursday blog post from cybersecurity firm Cybereason, the RAT named PyVil comes courtesy of the Evilnum APT (Advanced Persistent Threat) group. But this one has a few new tricks up its sleeve compared with previous trojans deployed by the group.
SEE: Security Awareness and Training policy (TechRepublic Premium)Â
In its blog post, “No Rest for the Wicked: Evilnum Unleashes PyVil RAT,” Cybereason points to Evilnum as an operation whose malware attacks and phishing campaigns are highly targeted. The group typically sets its sights on financial technology (FinTech) companies, and mostly those located in the UK and EU.
To deploy its malware, Evilnum exploits documents for Know Your Customer regulations (KYC), which contain information provided by clients conducting business with various providers. Such documents are often used by banks and financial companies to verify the identity of their clients, which seems to tie in with Evilnum’s focus on the FinTech sector.
Evilnum’s attacks usually kick off with spear phishing emails that deliver ZIP archives with LNK files pretending to be photos of driver licenses, credit cards, utility bills, and other sensitive records. These documents are typically stolen and belong to real people.
After the victim opens an LNK file, a JavaScript Trojan replaces the LNK file with a real image. The Trojan then proceeds to upload and download files, steal cookies, gather antivirus information, and execute various commands. It also sets up communication with the group’s C2 (command-and-control) servers.
A progression from its past efforts, Evilnum’s latest creation is PyVil, a Python-scripted RAT used to obtain passwords, documents, browser cookies, and email credentials on infected devices. PyVil differs from previous trojans from the group in a few ways, according to Cybereason.
PyVil RAT was compiled with py2exe, an executable that turns Python scripts into Windows programs and has the ability to download new modules to expand its functionality. PyVil also marks a shift from just JavaScript trojans with conventional backdoor capabilities to a more sophisticated multi-step process to deliver the malicious payload. Further, this strategy uses modified versions of legitimate executable files in an effort to sneak past security tools.
JavaScript trojans are still in play with this latest campaign. But in this case, they’re used as a first-stage dropper to pave the way for PyVil. After infection, PyVil attempts to gather information on the device, take screenshots, obtain keylog data, open an SSH shell, and download additional tools. These tools can be another executable program or a Python module such as LaZagne, any of which will add more functionality for the attack to proceed.
SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
“This innovation in tactics and tools is what allowed the group to stay under the radar, and we expect to see more in the future as the Evilnum group’s arsenal continues to grow,” Cybereason said.
What can organizations and individuals do to protect themselves against these types of RAT attacks?
“Enterprises are in a cat-and-mouse game with cyber adversaries, and getting ahead of them takes resiliency and around-the-clock network-threat hunting and monitoring services,” Tom Fakterman, threat researcher for Cybereason, told TechRepublic. “Improving security hygiene will give enterprises a broader and deeper scan of their networks, enabling them to root out malicious behavior faster. For employees, I would recommend they not open attachments in emails from unknown sources and don’t download files and content from dubious sources. The same holds true for all devices, including PCs, Macs, laptops and all mobile devices.”