Advisory
|
Adversarial Intelligence |
Threat Actor
|
AridViper [APT-C-23] |
Target
|
Windows System |
AridViper (APT-C-23) drops a new Python based malware called PyMicropsia to target victims in the Middle Eastern region.This malware is an info-stealer and has other capabilities such as:
- Keylogging,
- Downloading and executing payloads,
- Stealing browser credentials,
- Clearing browsing history and profiles,
- Rebooting machines,
- Collecting Outlook processes, etc.
[caption id="attachment_9160" align="aligncenter" width="519"]
An overview of PyMicropsia[/caption]
PyMicropsia Trojan contains built-in Python libraries as well as specific packages including:
- Pyaudio - Audio stealing capabilities
- Mss - Screenshot capabilities
The malware is still being developed which is clear from several of its unused code sections. Although PyMicropsia was designed to target Windows OS, it was found that its code snippets also search for other operating systems such as Posix or Darwin.
MITRE Tactics and Techniques
Tactic
|
Technique
|
| Initial Access |
Masquerade as Legitimate Application (T1444), Deliver Malicious App via Other Means (T1476) |
| Execution |
Native Code (T1575) |
| Persistence |
Broadcast Receivers (T1402) |
| Defense Evasion |
Suppress Application Icon (T1508), Application Discovery (T1418) |
| Discovery |
File and Directory Discovery (T1420), System Information Discovery (T1426), Access Call Log (T1433), Access Contact List (T1432), Access Notification (T1517), Capture Audio (T1429) |
| Collection |
Capture Camera (T1512), Capture SMS Messages (T1412), Data from Local System (T1533), Screen Capture (T1513), Alternative Network Mediums (T1438) |
| Command and Control |
Standard Application Layer Protocol (T1437), Remote File Copy (T1544) |
| Exfiltration |
Data Encrypted (T1532) |
| Impact |
Delete Device Data (T1447) |
Recent Activity
In September 2020, AridViper threat group was found using an Android spyware variant called Android/SpyC32.A to snoop on WhatsApp and Telegram users.
Impact
Technical Impact
- Malicious attachments used in phishing campaigns allow attackers to gain initial foothold on the target system.
- Payload delivery and execution will result in the compromise of user data and privacy.
- The target network that the compromised system is a part of becomes vulnerable to further attacks.
- Custom tools designed by the attacker allow them to execute lateral movement, avoiding detection.
Business Impact
- Cyber attack affects an organization’s goodwill and branding.
- Customers lose trust in the company.
- Companies will be liable to pay compensation/ penalty.
- Compromised company/ customer data will be sold on the Dark Web.
Indicators of Compromise
MD5
- e098135ca0b3bdfdd8465312c378e4e2
- 835f86e1e83a3da25c715e89db5355cc
- 6e2d058c3508694a392194dbb6e9fe44
- e35d13bd8f04853e69ded48cf59827ef
- ae0b53e6b378bf74e1dd2973d604be55
- 533b1aea016aacf4afacfe9a8510b168
- bbf630ca23976ddf8a561ccdb477c73d
- 315c2dbe40bc2dc62cd58872744d1f0c
- 89e9823013f711d384824d8461cc425d
- f5bac4d2de2eb1f8007f68c77bfa460e
- 4d9b6b0e7670dd5919b188cb71d478c0
- 7ea20c7c999bbd59e9b90309c0afa972
- f93faca357f9a8041a377ca913888565
- cf24ddd2bfd6ea9b362722baff36cc21
- 9d76d59de0ee91add92c938e3335f27f
- 94a5e595be051b9250e678de1ff927ac
- c7d7ee62e093c84b51d595f4dc56eab1
- c27f925a7c424c0f5125a681a9c44607
SHA-256
- 078212fc6d69641e96ed04352fba4d028fd5eadc87c7a4169bfbcfc52b8ef8f2
- 0d65b9671e51baf64e1389649c94f2a9c33547bfe1f5411e12c16ae2f2f463dd
- 11487246a864ee0edf2c05c5f1489558632fb05536d6a599558853640df8cd78
- 2115d02ead5e497ce5a52ab9b17f0e007a671b3cd95aa55554af17d9a30de37c
- 26253e9027f798bafc4a70bef1b5062f096a72b0d7af3065b0f4a9b3be937c99
- 3884ac554dcd58c871a4e55900f8847c9e308a79c321ae46ced58daa00d82ab4
- 3c8979740d2f634ff2c0c0ab7adb78fe69d6d42307118d0bb934f03974deddac
- 3da95f33b6feb5dcc86d15e2a31e211e031efa2e96792ce9c459b6b769ffd6a4
- 42fa99e574b8ac5eddf084a37ef891ee4d16742ace9037cda3cdf037678e7512
- 46dae9b27f100703acf5b9fda2d1b063cca2af0d4abeeccc6cd45d12be919531
- 47d53f4ab24632bf4ca34e9a10e11b4b6c48a242cbcfcb1579d67523463e59d2
- 4eced949a2da569ee9c4e536283dabad49e2f41371b6e8d40b80a79ec1b0e986
- 5b8b71d1140beaae4736eb58adc64930613ebeab997506fbb09aabff68242e17
- 82ad34384fd3b37f85e735a849b033326d8ce907155f5ff2d24318b1616b2950
- 83e0db0fa3feaf911a18c1e2076cc40ba17a185e61623a9759991deeca551d8b
- a60cadbf6f5ef8a2cbb699b6d7f072245c8b697bbad5c8639bca9bb55f57ae65
- b0562b41552a2fa744390a5f79a843940dade57fcf90cd23187d9c757dc32c37
- b61fa79c6e8bfcb96f6e2ed4057f5a835a299e9e13e4c6893c3c3309e31cad44
- d28ab0b04dc32f1924f1e50a5cf864325c901e11828200629687cca8ce6b2d5a
- db1c2482063299ba5b1d5001a4e69e59f6cc91b64d24135c296ec194b2cab57a
- ddaeffb12a944a5f4d47b28affe97c1bc3a613dab32e5b5b426ef249cfc29273
- e869c7f981256ddb7aa1c187a081c46fed541722fa5668a7d90ff8d6b81c1db6
- eab20d4c0eeff48e7e1b6b59d79cd169cac277aeb5f91f462f838fcd6835e0ac
- eda6d901c7d94cbd1c827dfa7c518685b611de85f4708a6701fcbf1a3f101768
Domain
- baldwin-gonzalez.live
- benyallen.club
- chad-jessie.info
- escanor.live
- jaime-martinez.info
- judystevenson.info
- krasil-anthony.icu
- nicoledotson.icu
- robert-keegan.life
- samwinchester.club
- tatsumifoughtogre.club
Mitigation
- Download applications only from trusted sources/ official app stores.
- Keep a check on the permissions granted to applications.
- Keep your antivirus updated and ensure you are using the latest version.
- Implement robust web filtering which can inspect malicious contents and restrict its download or block it quickly.
- Keep your browser up-to-date.
