Friday, January 24, 2025
HomeMalwareEvilnum APT used Python-based RAT PyVil Tool To Spy and Steal...

Evilnum APT used Python-based RAT PyVil Tool To Spy and Steal the Sensitive Data

Published on

SIEM as a Service

Follow Us on Google News

Recently, the Evilnum APT group used the Python-based RAT PyVil tool to spy and steal sensitive data; here, the main motive of the group is to spy on its victims and exfiltrate all the VPN passwords, email credentials, various documents, and browser cookies.

Evilnum APT Group and Its Infection Chain

This is not the first time as the Evilnum APT group had also attacked earlier in 2018, but this time they came up with some new ideas and tricks to steal all sensitive data of the victims. The Evilnum APT group mostly targets victims from the UK and EU, but this time they do attack some victims from Australia and Canada.

The experts affirmed that Evilnum had been detected using attack elements that are scripted in JavaScript and C#; they also use various tools from malware-as-a-service provider Golden Chickens. 

Not only this, but this group mainly uses spear-phishing emails to bypass all the ill-disposed files as scans of service bills, credit cards, driving licenses. It also includes other verifying documents that are needed by know-your-customer (KYC) management in the financial sector.

All these variations cover a change in the chain of infection and persistence, a new business that is increasing over time, and the use of a new Python-scripted Remote Access Trojan (RAT) Nocturnus dubbed as PyVil RAT.  

Key Findings

  • Attacking the Financial Sector
  • This time, Evilnum has come with new tricks and ideas.
  • Security experts are still investigating the group that has been actively exploiting different sectors.
  • Modified versions of legitimate executables, that remain undetected by security tools.
  • Experts have discovered a newly Python-scripted RAT that has been dubbed PyVil RAT; it was combined with py2exe, which has the ability to download all new modules to increase functionality. 
  • The infected chain shifts from a JavaScript Trojan with a backdoor ability to a multi-process delivery method of the payload.

PyVil: New Python RAT

The PyVil RAT allows the attackers to exfiltrate all the data, apply key-logging & take screenshots. It can also use secondary credential-harvesting tools like LaZagne; it’s an open-source application that is used to steal the passwords that are stored on a local computer.

PyVil RAT Supports Multiple Functionalities

The experts of cybersecurity frim Cybereason Nocturnus reported that this new version of PyVil is created with a multitude of functions and here they are mentioned below:- 

  • Keylogger
  • Running cmd commands
  • Taking screenshots
  • Downloading more Python scripts for extra functionality 
  • Dropping and uploading executables
  • Opening an SSH shell
  • Gathering all data such as Anti-virus products installed, USB devices connected, and Chrome versions.

Evilnum Aattack Patterns

Evilnum has always relied on spear-phishing emails that include ZIP archives housing 4 LNK files. That’s why its attack patterns and the new version is made with new ideas and tricks.

Vulnerable programs used 

The vulnerable programs that are used in this attack are:-

  • DDPP.exe
  • FPLAYER.exe

Mitigations

The experts of cybersecurity firm have suggested some mitigations that are to be applied by the business carefully:-

  • The business firm needs to evolve its stack of security tools continuously so that they can more easily root out the stealth tricks. 
  • Employees of enterprises should not open email attachments from unknown networks.
  • The business firms should not download any data from dubious websites.

Apart from this, the security researchers are still trying their best to bypass all the threats from Evilnum, and more importantly, the business firms need to be cautious regarding all these risks.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates

Also Read:

Lazarus APT Hackers Attack Japanese Organization Using Remote SMB Tool “SMBMAP” After Network Intrusion

PoetRAT – New Python RAT Attacking Government and Energy Sector Via Weaponized Word Documents

JhoneRAT – Hackers Launching New Cloud-based Python RAT to Steal Data From Google Drive, Twitter & Google Forms

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Subaru’s STARLINK Connected Car’s Vulnerability Let Attackers Gain Restricted Access

In a groundbreaking discovery on November 20, 2024, cybersecurity researchers Shubham Shah and a...

Android Kiosk Tablets Vulnerability Let Attackers Control AC & Lights

A security flaw found in Android-based kiosk tablets at luxury hotels has exposed a...

CISA Releases Six ICS Advisories Details Security Issues

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued six Industrial Control Systems (ICS)...

Juniper Routers Exploited via Magic Packet Vulnerability to Deploy Custom Backdoor

A sophisticated cyber campaign dubbed "J-magic" has been discovered targeting enterprise-grade Juniper routers with...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

Beware of Fake Captcha Verifications Spreading Lumma Malware

In January, Netskope Threat Labs uncovered a sophisticated global malware campaign leveraging fake CAPTCHA...

GhostGPT – Jailbreaked ChatGPT that Creates Malware & Exploits

Artificial intelligence (AI) tools have revolutionized how we approach everyday tasks, but they also...

Murdoc Botnet Exploiting AVTECH Cameras & Huawei Routers to Gain Complete Control

Researchers have identified an active malware campaign involving a Mirai botnet variant, dubbed Murdoc,...