Python-script remote access trojan (RAT), dubbed PyVil, is used by Evilnum APT to gather sensitive corporate information. In September 2020, threat actors leveraged PyVil along with several other tools, such as More_eggs, TerraPreter, TerraStealer, and TerraTV to target FinTech companies across the UK and the European Union.
This RAT propagates through malicious LNK files masquerading as legitimate PDF documents distributed via phishing scams. They send deceptive emails disguised as identification documents associated with the victim’s banking, including bills, credit card statements, etc. The RAT is compiled with py2exe, which converts python scripts into Microsoft Windows executables. This allows it to download new modules to expand its functionality.
The RAT is configured such that it can hold instructions for the browser when communicating with the Command and Control (C2) server. C2 communications are done via POST HTTP requests and are RC4 encrypted using a hardcoded key, encoded with Base64 (converts the binary data into text format). The key features of PyVil are:
- Keylogging
- Taking screenshots
- Gathering information from infected systems
The Python code inside the py2exe is made complicated with extra layers of encryptions to prevent the decompilation of the payload using existing tools.[/vc_wp_text][vc_wp_text]
Impact
- The leak of PII information can lead to identity theft.
- Confidential documents/ chats leaked to the public can cost the reputation of an individual or organization.
- Once the device is infected it can be used as a bot to perform DDoS attacks, leading to inaccessibility of services.
- The malware gives its operators access to a victim’s details, which are then used to further dupe the victims or to carry out social engineering attacks on them.
[/vc_wp_text][vc_wp_text]
Mitigations
- Do not open suspicious or unsolicited emails, especially those received from unknown/ suspect senders.
- Block the installation of programs from unknown sources.
- Download only from relevant and trusted sources.
- Backup your data at regular intervals.
- Use a trusted scanner to detect malware.
- Disable Windows PowerShell, which is a task automation framework.
[/vc_wp_text][vc_wp_text]
Indicators of Compromise
Domains
- voipasst[.]com
- voipreq12[.]com
- telecomwl[.]com
- crm-domain[.]net
- leads-management[.]net
- fxmt4x[.]com
- xlmfx[.]com
- telefx[.]net
- voipssupport[.]com
- trquotesys[.]com
- extrasectr[.]com
- veritechx[.]com
- quotingtrx[.]com
- vvxtech[.]net
- corpxtech[.]com
IP addresses
- 193[.]56[.]28[.]201
- 185[.]236[.]]230[.]25
- 5[.]206[.]227[.]81
- 176[.]107[.]188[.]175
LNK
- db5d09edc2e9676a41f26f5f4310df9d13abdae8011b1d37af7139008362d5f1
- 3b7cd07e87902deae4b482e987dea9e25a93a55ec783884e8b466dc55c346bce
- c7cf5c62ecfade27338acb2cc91a06c2615dbb97711f2558a9379ee8a5306720
- f5f79e2169db3bbe7b7ae3ff4a0f40659d11051e69ee784f5469659a708e829e
- cff5ed4de201256678c7c068c1dbda5c47f4b322b618981693b1fd07a0ea7e68
- 83c375dcdadb8467955f5e124cf4e8d6eac78c51c03fb7393dc810a243ba1a90
Dropped PDF
- 048388c04738763c0ec57124e3a88fc82a545639636fb5ed6cd397881dd6ced9
- 11d9a87b144c0eaf71e8dea1b08117d464ed7f24a6e716e935e0c7f3a7e03edc
- 0b95c8c70d2dad47baef15d0299cd7e273e8a59ae0420921632b21789a80aef0
PyVil py2exe executable
- f388a2ebbb6a7e577e8aa6205e87d5b2975e7c08464123cc36e8e3d437e9a523
- 130e0536cdb4e9f7cfb273dbabc9ee196a51d1217cd4b981847af6314f46b052
- d6343a07357e5443d6a59f10e16a06796c46bec3cbe5968ac04b0f082d6fcecf
PyVil first obfuscation layer
- 568ec03a27740f8babc3513948a44ce1a2944d05f3d454ce345e67a0634a4a73
PyVil second obfuscation layer
- 63a4b6ef72e0a3a0886364a5ebcc0009c6da8c27d93cf9d6c8107b6f025fed34
PyVil python libraries
- 1aa9ecb83acbebc64b23f7192e763cf4bd278f10df2223512087b87230e411b4
- 9dfb040dab1fd05fbccf69ff3461295815edc463a61a6304af18a72f82bce534
- 8dfb2f5c74f38ffb39bfc17bf6a62d5822c458215619c1b2ec2eb345f21d1265
- 3f3738e4606ea85a382319269405ee72a928a8a761273914c52342b116cbddfc
- a787ecc380021b3b7115c97242ba06706a0a1e41efe1b734552d74384bae22ec
- 062ed9f40ca330f0fed63cbdd401521deb23f93b5527038fc88f70ed9acadf39
