The Evilnum group, which specializes in targeting financial technology companies, has debuted a new tool: A Python-based remote access trojan (RAT), dubbed PyVil. The malware’s emergence dovetails with a change in the chain of infection and an expansion of infrastructure for the APT.
According to researchers at Cybereason, PyVil RAT enables the attackers to exfiltrate data, perform keylogging and take screenshots, and can roll out secondary credential-harvesting tools such as LaZagne (an open source application used to retrieve passwords stored on a local computer).
The latest series of campaigns observed by Cybereason that use PyVil RAT are widespread yet targeted, taking aim at FinTech companies across the U.K. and E.U. The attack vector is spear-phishing emails, which use the Know Your Customer regulations (KYC) as a lure.
“It’s ironic that threat actors would be involved in such a campaign that abuses the ‘Know Your Customer’ regulations, the process by which companies vet new customers and partners,” Tom Fakterman, threat researcher at Cybereason, told Threatpost in an interveiw. “The Know Your Customer process works in the manner that allows two companies to share proprietary info about each other during the vetting process to ensure neither party is involved in corruption, bribery, money laundering, etc. So in effect, the threat actors are preying on the FinTech companies by sending fraudulent information and documents that look real.”
A New RAT Sets Up Its Nest
PyVil RAT was compiled with py2exe, which is a Python extension which converts Python scripts into Microsoft Windows executables. This gives the RAT the capability to download new modules to expand functionality.
“The Python code inside the py2exe is obfuscated with extra layers, in order to prevent decompilation of the payload using existing tools,” according to the research. “Using a memory dump, we were able to extract the first layer of Python code. The first piece of code decodes and decompresses the second layer of Python code. The second layer of Python code decodes and loads to memory the main RAT and the imported libraries.”
PyVil RAT also has a configuration module that holds the malware’s version, command-and-control (C2) domains and instructions for which browser to use when communicating with the C2. The C2 communications are done via POST HTTP requests and are RC4 encrypted using a hardcoded key encoded with Base64, according to the analysis.
Cybereason found that PyVil RAT has a host of functionality commands, including: Act as a keylogger; run CMD commands; take screenshots; drop and upload other Python scripts and executables; open an SSH shell; and collect information such as the antivirus products installed on the machine, Chrome version and which USB devices are connected. During Cybereason’s analysis, PyVil RAT also received from the C2 a custom version of LaZagne, which the Evilnum group has used in the past.
Interestingly, Evilnum’s C2 infrastructure is growing and expanding as well.
“While the C2 IP address changes every few weeks, the list of domains associated with this IP address keeps growing,” the researchers explained. “A few weeks ago, three domains associated with the malware were resolved to the same IP address. Shortly thereafter, the C2 IP address of all three domains changed. In addition, three new domains were registered with the same IP address and were used by the malware. A few weeks later, this change occurred again. The resolution address of all domains changed in the span of a few days, with the addition of three new domains.”
Changing Up the Infection Routine
Within this, the group is using modified versions of legitimate executables in an attempt to remain undetected by security tools, he added.
“The ddpp.exe executable appears to be a version of [Oracle’s legitimate] Java Web Start Launcher, modified to execute malicious code,” according to Cybereason. “When comparing the malware executable with the original Oracle executable, we can see the similar metadata between the files. The major difference at first sight is that the original Oracle executable is signed, while the malware is not.”
The dropper creates a scheduled task named “Dolby Selector Task,” which begins a second stage of retrieving the payload by unpacking shellcode. This shellcode connects to the C2 using a GET request, and receives back another encrypted executable, which is saved to disk as “fplayer.exe.”
“fplayer.exe appears to be a modified version of [Nvidia’s legitimate] Stereoscopic 3D driver Installer,” the analysis detailed. “In here as well, we can see the similar metadata between the files with the difference being that the original Nvidia executable is signed, while the malware is not.”
When executed, fplayer.exe file unpacks more shellcode, which forms its own C2 connection and downloads yet another payload – the final piece of code. This is decrypted, then loaded to memory and serves as a fileless RAT: a.k.a., PyVil.
“EvilNum knows what they are doing, as they regularly change their TTPs to avoid detection,” Fakterman told Threatpost. “In the case of the Nocturnus research, EvilNum is using several new tricks as we discovered a significant deviation from the infection chain, persistence, infrastructure and previously observed tools. We expect EvilNum to continue to grow its arsenal of tools in the future with more innovative tactics and tools to allow them to stay under the radar.”
To protect themselves, businesses should take basic precautions when it comes to email security hygiene, Fakterman noted.
“Time and time again threat actors revert to the time-tested infection method of phishing emails,” he said. “Enterprises need to constantly evolve their stack of security tools to more easily root out the stealth tactics being deployed. The employees of enterprises shouldn’t be opening email attachments from unknown sources and should avoid downloading information from dubious websites.”
On Wed Sept. 16 @ 2 PM ET: Learn the secrets to running a successful Bug Bounty Program. Register today for this FREE Threatpost webinar “Five Essentials for Running a Successful Bug Bounty Program“. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this LIVE webinar.