Advisory
Adversarial Intelligence
Threat Actor
AridViper
Target
Windows System
AridViper (APT-C-23) drops a new Python based malware called PyMicropsia to target victims in the Middle Eastern region.This malware is an info-stealer and has other capabilities such as:
Keylogging,
Downloading and executing payloads,
Stealing browser credentials,
Clearing browsing history and profiles,
Rebooting machines,
Collecting Outlook processes, etc.
An overview of PyMicropsia
PyMicropsia Trojan contains built-in Python libraries as well as specific packages including:
Pyaudio – Audio stealing capabilities
Mss – Screenshot capabilities
The malware is still being developed which is clear from several of its unused code sections. Although PyMicropsia was designed to target Windows OS, it was found that its code snippets also search for other operating systems such as Posix or Darwin.
MITRE Tactics and Techniques
Tactic
Technique
Initial Access
Masquerade as Legitimate Application (T1444), Deliver Malicious App via Other Means (T1476)
Execution
Native Code (T1575)
Persistence
Broadcast Receivers (T1402)
Defense Evasion
Suppress Application Icon (T1508), Application Discovery (T1418)
Discovery
File and Directory Discovery (T1420), System Information Discovery (T1426), Access Call Log (T1433), Access Contact List (T1432), Access Notification (T1517), Capture Audio (T1429)
Collection
Capture Camera (T1512), Capture SMS Messages (T1412), Data from Local System (T1533), Screen Capture (T1513), Alternative Network Mediums (T1438)
Command and Control
Standard Application Layer Protocol (T1437), Remote File Copy (T1544)
Exfiltration
Data Encrypted (T1532)
Impact
Delete Device Data (T1447)
Recent Activity
In September 2020, AridViper threat group was found using an Android spyware variant called Android/SpyC32.A to snoop on WhatsApp and Telegram users.
Impact
Technical Impact
Malicious attachments used in phishing campaigns allow attackers to gain initial foothold on the target system.
Payload delivery and execution will result in the compromise of user data and privacy.
The target network that the compromised system is a part of becomes vulnerable to further attacks.
Custom tools designed by the attacker allow them to execute lateral movement, avoiding detection.
Business Impact
Cyber attack affects an organization’s goodwill and branding.
Customers lose trust in the company.
Companies will be liable to pay compensation/ penalty.
Compromised company/ customer data will be sold on the Dark Web.
Indicators of Compromise
MD5
e098135ca0b3bdfdd8465312c378e4e2
835f86e1e83a3da25c715e89db5355cc
6e2d058c3508694a392194dbb6e9fe44
e35d13bd8f04853e69ded48cf59827ef
ae0b53e6b378bf74e1dd2973d604be55
533b1aea016aacf4afacfe9a8510b168
bbf630ca23976ddf8a561ccdb477c73d
315c2dbe40bc2dc62cd58872744d1f0c
89e9823013f711d384824d8461cc425d
f5bac4d2de2eb1f8007f68c77bfa460e
4d9b6b0e7670dd5919b188cb71d478c0
7ea20c7c999bbd59e9b90309c0afa972
f93faca357f9a8041a377ca913888565
cf24ddd2bfd6ea9b362722baff36cc21
9d76d59de0ee91add92c938e3335f27f
94a5e595be051b9250e678de1ff927ac
c7d7ee62e093c84b51d595f4dc56eab1
c27f925a7c424c0f5125a681a9c44607
SHA-256
078212fc6d69641e96ed04352fba4d028fd5eadc87c7a4169bfbcfc52b8ef8f2
0d65b9671e51baf64e1389649c94f2a9c33547bfe1f5411e12c16ae2f2f463dd
11487246a864ee0edf2c05c5f1489558632fb05536d6a599558853640df8cd78
2115d02ead5e497ce5a52ab9b17f0e007a671b3cd95aa55554af17d9a30de37c
26253e9027f798bafc4a70bef1b5062f096a72b0d7af3065b0f4a9b3be937c99
3884ac554dcd58c871a4e55900f8847c9e308a79c321ae46ced58daa00d82ab4
3c8979740d2f634ff2c0c0ab7adb78fe69d6d42307118d0bb934f03974deddac
3da95f33b6feb5dcc86d15e2a31e211e031efa2e96792ce9c459b6b769ffd6a4
42fa99e574b8ac5eddf084a37ef891ee4d16742ace9037cda3cdf037678e7512
46dae9b27f100703acf5b9fda2d1b063cca2af0d4abeeccc6cd45d12be919531
47d53f4ab24632bf4ca34e9a10e11b4b6c48a242cbcfcb1579d67523463e59d2
4eced949a2da569ee9c4e536283dabad49e2f41371b6e8d40b80a79ec1b0e986
5b8b71d1140beaae4736eb58adc64930613ebeab997506fbb09aabff68242e17
82ad34384fd3b37f85e735a849b033326d8ce907155f5ff2d24318b1616b2950
83e0db0fa3feaf911a18c1e2076cc40ba17a185e61623a9759991deeca551d8b
a60cadbf6f5ef8a2cbb699b6d7f072245c8b697bbad5c8639bca9bb55f57ae65
b0562b41552a2fa744390a5f79a843940dade57fcf90cd23187d9c757dc32c37
b61fa79c6e8bfcb96f6e2ed4057f5a835a299e9e13e4c6893c3c3309e31cad44
d28ab0b04dc32f1924f1e50a5cf864325c901e11828200629687cca8ce6b2d5a
db1c2482063299ba5b1d5001a4e69e59f6cc91b64d24135c296ec194b2cab57a
ddaeffb12a944a5f4d47b28affe97c1bc3a613dab32e5b5b426ef249cfc29273
e869c7f981256ddb7aa1c187a081c46fed541722fa5668a7d90ff8d6b81c1db6
eab20d4c0eeff48e7e1b6b59d79cd169cac277aeb5f91f462f838fcd6835e0ac
eda6d901c7d94cbd1c827dfa7c518685b611de85f4708a6701fcbf1a3f101768
Domain
baldwin-gonzalez.live
benyallen.club
chad-jessie.info
escanor.live
jaime-martinez.info
judystevenson.info
krasil-anthony.icu
nicoledotson.icu
robert-keegan.life
samwinchester.club
tatsumifoughtogre.club
Mitigation
Download applications only from trusted sources/ official app stores.
Keep a check on the permissions granted to applications.
Keep your antivirus updated and ensure you are using the latest version.
Implement robust web filtering which can inspect malicious contents and restrict its download or block it quickly.
Keep your browser up-to-date.