Evilnum APT used Python-based RAT PyVil  Tool To Spy and Steal the Sensitive Data

Recently, the Evilnum APT group used the Python-based RAT PyVil tool to spy and steal sensitive data; here, the main motive of the group is to spy on its victims and exfiltrate all the VPN passwords, email credentials, various documents, and browser cookies.

Evilnum APT Group and Its Infection Chain

This is not the first time as the Evilnum APT group had also attacked earlier in 2018, but this time they came up with some new ideas and tricks to steal all sensitive data of the victims. The Evilnum APT group mostly targets victims from the UK and EU, but this time they do attack some victims from Australia and Canada.

The experts affirmed that Evilnum had been detected using attack elements that are scripted in JavaScript and C#; they also use various tools from malware-as-a-service provider Golden Chickens. 

Not only this, but this group mainly uses spear-phishing emails to bypass all the ill-disposed files as scans of service bills, credit cards, driving licenses. It also includes other verifying documents that are needed by know-your-customer (KYC) management in the financial sector.

All these variations cover a change in the chain of infection and persistence, a new business that is increasing over time, and the use of a new Python-scripted Remote Access Trojan (RAT) Nocturnus dubbed as PyVil RAT.  

Key Findings

  • Attacking the Financial Sector
  • This time, Evilnum has come with new tricks and ideas.
  • Security experts are still investigating the group that has been actively exploiting different sectors.
  • Modified versions of legitimate executables, that remain undetected by security tools.
  • Experts have discovered a newly Python-scripted RAT that has been dubbed PyVil RAT; it was combined with py2exe, which has the ability to download all new modules to increase functionality. 
  • The infected chain shifts from a JavaScript Trojan with a backdoor ability to a multi-process delivery method of the payload.

PyVil: New Python RAT

The PyVil RAT allows the attackers to exfiltrate all the data, apply key-logging & take screenshots. It can also use secondary credential-harvesting tools like LaZagne; it’s an open-source application that is used to steal the passwords that are stored on a local computer.

PyVil RAT Supports Multiple Functionalities

The experts of cybersecurity frim Cybereason Nocturnus reported that this new version of PyVil is created with a multitude of functions and here they are mentioned below:- 

  • Keylogger
  • Running cmd commands
  • Taking screenshots
  • Downloading more Python scripts for extra functionality 
  • Dropping and uploading executables
  • Opening an SSH shell
  • Gathering all data such as Anti-virus products installed, USB devices connected, and Chrome versions.

Evilnum Aattack Patterns

Evilnum has always relied on spear-phishing emails that include ZIP archives housing 4 LNK files. That’s why its attack patterns and the new version is made with new ideas and tricks.

Vulnerable programs used 

The vulnerable programs that are used in this attack are:-

  • DDPP.exe
  • FPLAYER.exe


The experts of cybersecurity firm have suggested some mitigations that are to be applied by the business carefully:-

  • The business firm needs to evolve its stack of security tools continuously so that they can more easily root out the stealth tricks. 
  • Employees of enterprises should not open email attachments from unknown networks.
  • The business firms should not download any data from dubious websites.

Apart from this, the security researchers are still trying their best to bypass all the threats from Evilnum, and more importantly, the business firms need to be cautious regarding all these risks.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates

Also Read:

Lazarus APT Hackers Attack Japanese Organization Using Remote SMB Tool “SMBMAP” After Network Intrusion

PoetRAT – New Python RAT Attacking Government and Energy Sector Via Weaponized Word Documents

JhoneRAT – Hackers Launching New Cloud-based Python RAT to Steal Data From Google Drive, Twitter & Google Forms


Please enter your comment!
Please enter your name here