AridViper Windows Malware Threat Intel Advisory

CloudSEK threat intelligence advisory on AridViper that drops Python-based Windows malware PyMicropsia, info-stealer with other capabilities.
Updated on
April 19, 2023
Published on
December 24, 2020
Read MINUTES
5
Subscribe to the latest industry news, threats and resources.
Advisory
Adversarial Intelligence
Threat Actor
AridViper [APT-C-23]
Target
Windows System
  AridViper (APT-C-23) drops a new Python based malware called PyMicropsia to target victims in the Middle Eastern region.This malware is an info-stealer and has other capabilities such as:
  • Keylogging, 
  • Downloading and executing payloads, 
  • Stealing browser credentials, 
  • Clearing browsing history and profiles, 
  • Rebooting machines, 
  • Collecting Outlook processes, etc. 
[caption id="attachment_9160" align="aligncenter" width="519"]PyMicropsia An overview of PyMicropsia[/caption] PyMicropsia Trojan contains built-in Python libraries as well as specific packages including:
  1. Pyaudio - Audio stealing capabilities
  2. Mss - Screenshot capabilities
The malware is still being developed which is clear from several of its unused code sections. Although PyMicropsia was designed to target Windows OS, it was found that its code snippets also search for other operating systems such as Posix or Darwin.

MITRE Tactics and Techniques 

Tactic
Technique
Initial Access Masquerade as Legitimate Application (T1444), Deliver Malicious App via Other Means (T1476)
Execution Native Code (T1575)
Persistence Broadcast Receivers (T1402)
Defense Evasion Suppress Application Icon (T1508), Application Discovery (T1418)
Discovery File and Directory Discovery (T1420), System Information Discovery (T1426), Access Call Log (T1433), Access Contact List (T1432), Access Notification (T1517), Capture Audio (T1429)
Collection Capture Camera (T1512), Capture SMS Messages (T1412), Data from Local System (T1533), Screen Capture (T1513), Alternative Network Mediums (T1438)
Command and Control Standard Application Layer Protocol (T1437), Remote File Copy (T1544)
Exfiltration Data Encrypted (T1532)
Impact Delete Device Data (T1447)
 

Recent Activity

In September 2020, AridViper threat group was found using an Android spyware variant called Android/SpyC32.A to snoop on WhatsApp and Telegram users.

Impact

Technical Impact
  • Malicious attachments used in phishing campaigns allow attackers to gain initial foothold on the target system.
  • Payload delivery and execution will result in the compromise of user data and privacy.
  • The target network that the compromised system is a part of becomes vulnerable to further attacks.
  • Custom tools designed by the attacker allow them to execute lateral movement, avoiding detection. 
Business Impact
  • Cyber attack affects an organization’s goodwill and branding.
  • Customers lose trust in the company.
  • Companies will be liable to pay compensation/ penalty.
  • Compromised company/ customer data will be sold on the Dark Web.

Indicators of Compromise

MD5
  1. e098135ca0b3bdfdd8465312c378e4e2
  2. 835f86e1e83a3da25c715e89db5355cc
  3. 6e2d058c3508694a392194dbb6e9fe44
  4. e35d13bd8f04853e69ded48cf59827ef
  5. ae0b53e6b378bf74e1dd2973d604be55
  6. 533b1aea016aacf4afacfe9a8510b168
  7. bbf630ca23976ddf8a561ccdb477c73d
  8. 315c2dbe40bc2dc62cd58872744d1f0c
  9. 89e9823013f711d384824d8461cc425d
  10. f5bac4d2de2eb1f8007f68c77bfa460e
  11. 4d9b6b0e7670dd5919b188cb71d478c0
  12. 7ea20c7c999bbd59e9b90309c0afa972
  13. f93faca357f9a8041a377ca913888565
  14. cf24ddd2bfd6ea9b362722baff36cc21
  15. 9d76d59de0ee91add92c938e3335f27f
  16. 94a5e595be051b9250e678de1ff927ac
  17. c7d7ee62e093c84b51d595f4dc56eab1
  18. c27f925a7c424c0f5125a681a9c44607
SHA-256
  1. 078212fc6d69641e96ed04352fba4d028fd5eadc87c7a4169bfbcfc52b8ef8f2
  2. 0d65b9671e51baf64e1389649c94f2a9c33547bfe1f5411e12c16ae2f2f463dd
  3. 11487246a864ee0edf2c05c5f1489558632fb05536d6a599558853640df8cd78
  4. 2115d02ead5e497ce5a52ab9b17f0e007a671b3cd95aa55554af17d9a30de37c
  5. 26253e9027f798bafc4a70bef1b5062f096a72b0d7af3065b0f4a9b3be937c99
  6. 3884ac554dcd58c871a4e55900f8847c9e308a79c321ae46ced58daa00d82ab4
  7. 3c8979740d2f634ff2c0c0ab7adb78fe69d6d42307118d0bb934f03974deddac
  8. 3da95f33b6feb5dcc86d15e2a31e211e031efa2e96792ce9c459b6b769ffd6a4
  9. 42fa99e574b8ac5eddf084a37ef891ee4d16742ace9037cda3cdf037678e7512
  10. 46dae9b27f100703acf5b9fda2d1b063cca2af0d4abeeccc6cd45d12be919531
  11. 47d53f4ab24632bf4ca34e9a10e11b4b6c48a242cbcfcb1579d67523463e59d2
  12. 4eced949a2da569ee9c4e536283dabad49e2f41371b6e8d40b80a79ec1b0e986
  13. 5b8b71d1140beaae4736eb58adc64930613ebeab997506fbb09aabff68242e17
  14. 82ad34384fd3b37f85e735a849b033326d8ce907155f5ff2d24318b1616b2950
  15. 83e0db0fa3feaf911a18c1e2076cc40ba17a185e61623a9759991deeca551d8b
  16. a60cadbf6f5ef8a2cbb699b6d7f072245c8b697bbad5c8639bca9bb55f57ae65
  17. b0562b41552a2fa744390a5f79a843940dade57fcf90cd23187d9c757dc32c37
  18. b61fa79c6e8bfcb96f6e2ed4057f5a835a299e9e13e4c6893c3c3309e31cad44
  19. d28ab0b04dc32f1924f1e50a5cf864325c901e11828200629687cca8ce6b2d5a
  20. db1c2482063299ba5b1d5001a4e69e59f6cc91b64d24135c296ec194b2cab57a
  21. ddaeffb12a944a5f4d47b28affe97c1bc3a613dab32e5b5b426ef249cfc29273
  22. e869c7f981256ddb7aa1c187a081c46fed541722fa5668a7d90ff8d6b81c1db6
  23. eab20d4c0eeff48e7e1b6b59d79cd169cac277aeb5f91f462f838fcd6835e0ac
  24. eda6d901c7d94cbd1c827dfa7c518685b611de85f4708a6701fcbf1a3f101768
Domain
  1. baldwin-gonzalez.live
  2. benyallen.club
  3. chad-jessie.info
  4. escanor.live
  5. jaime-martinez.info
  6. judystevenson.info
  7. krasil-anthony.icu
  8. nicoledotson.icu
  9. robert-keegan.life
  10. samwinchester.club
  11. tatsumifoughtogre.club

Mitigation

  1. Download applications only from trusted sources/ official app stores.
  2. Keep a check on the permissions granted to applications.
  3. Keep your antivirus updated and ensure you are using the latest version. 
  4. Implement robust web filtering which can inspect malicious contents and restrict its download or block it quickly. 
  5. Keep your browser up-to-date.

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations