Saturday, October 5, 2024
HomeMalwareEvilnum APT used Python-based RAT PyVil Tool To Spy and Steal...

Evilnum APT used Python-based RAT PyVil Tool To Spy and Steal the Sensitive Data

Published on

Recently, the Evilnum APT group used the Python-based RAT PyVil tool to spy and steal sensitive data; here, the main motive of the group is to spy on its victims and exfiltrate all the VPN passwords, email credentials, various documents, and browser cookies.

Evilnum APT Group and Its Infection Chain

This is not the first time as the Evilnum APT group had also attacked earlier in 2018, but this time they came up with some new ideas and tricks to steal all sensitive data of the victims. The Evilnum APT group mostly targets victims from the UK and EU, but this time they do attack some victims from Australia and Canada.

The experts affirmed that Evilnum had been detected using attack elements that are scripted in JavaScript and C#; they also use various tools from malware-as-a-service provider Golden Chickens. 

- Advertisement - EHA

Not only this, but this group mainly uses spear-phishing emails to bypass all the ill-disposed files as scans of service bills, credit cards, driving licenses. It also includes other verifying documents that are needed by know-your-customer (KYC) management in the financial sector.

All these variations cover a change in the chain of infection and persistence, a new business that is increasing over time, and the use of a new Python-scripted Remote Access Trojan (RAT) Nocturnus dubbed as PyVil RAT.  

Key Findings

  • Attacking the Financial Sector
  • This time, Evilnum has come with new tricks and ideas.
  • Security experts are still investigating the group that has been actively exploiting different sectors.
  • Modified versions of legitimate executables, that remain undetected by security tools.
  • Experts have discovered a newly Python-scripted RAT that has been dubbed PyVil RAT; it was combined with py2exe, which has the ability to download all new modules to increase functionality. 
  • The infected chain shifts from a JavaScript Trojan with a backdoor ability to a multi-process delivery method of the payload.

PyVil: New Python RAT

The PyVil RAT allows the attackers to exfiltrate all the data, apply key-logging & take screenshots. It can also use secondary credential-harvesting tools like LaZagne; it’s an open-source application that is used to steal the passwords that are stored on a local computer.

PyVil RAT Supports Multiple Functionalities

The experts of cybersecurity frim Cybereason Nocturnus reported that this new version of PyVil is created with a multitude of functions and here they are mentioned below:- 

  • Keylogger
  • Running cmd commands
  • Taking screenshots
  • Downloading more Python scripts for extra functionality 
  • Dropping and uploading executables
  • Opening an SSH shell
  • Gathering all data such as Anti-virus products installed, USB devices connected, and Chrome versions.

Evilnum Aattack Patterns

Evilnum has always relied on spear-phishing emails that include ZIP archives housing 4 LNK files. That’s why its attack patterns and the new version is made with new ideas and tricks.

Vulnerable programs used 

The vulnerable programs that are used in this attack are:-

  • DDPP.exe
  • FPLAYER.exe

Mitigations

The experts of cybersecurity firm have suggested some mitigations that are to be applied by the business carefully:-

  • The business firm needs to evolve its stack of security tools continuously so that they can more easily root out the stealth tricks. 
  • Employees of enterprises should not open email attachments from unknown networks.
  • The business firms should not download any data from dubious websites.

Apart from this, the security researchers are still trying their best to bypass all the threats from Evilnum, and more importantly, the business firms need to be cautious regarding all these risks.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates

Also Read:

Lazarus APT Hackers Attack Japanese Organization Using Remote SMB Tool “SMBMAP” After Network Intrusion

PoetRAT – New Python RAT Attacking Government and Energy Sector Via Weaponized Word Documents

JhoneRAT – Hackers Launching New Cloud-based Python RAT to Steal Data From Google Drive, Twitter & Google Forms

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Prince Ransomware Hits UK and US via Royal Mail Phishing Scam

A new ransomware campaign targeting individuals and organizations in the UK and the US...

Microsoft, DOJ Dismantle Domains Used by Russian FSB-Linked Hacking Group

Microsoft and the U.S. Department of Justice (DOJ) have successfully dismantled a network of...

Cloud Penetration Testing Checklist – 2024

Cloud Penetration Testing is a method of actively checking and examining the Cloud system...

Linux Malware perfctl Attacking Millions of Linux Servers

Researchers have uncovered a sophisticated Linux malware, dubbed "perfctl," actively targeting millions of Linux...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

DCRAt Attacking Users Via HTML Smuggling To Steal Login Credentials

In a new campaign that is aimed at users who speak Russian, the modular...

LummaC2 Stealer Leverages Customized Control Flow Indirection For Execution

The LummaC2 obfuscator employs a novel control flow protection scheme designed specifically for its...

Octo2 Android Malware Attacking To Steal Banking Credentials

The original threat actor behind the Octo malware family has released a new variant,...