Thursday, March 28, 2024

Evilnum APT used Python-based RAT PyVil Tool To Spy and Steal the Sensitive Data

Recently, the Evilnum APT group used the Python-based RAT PyVil tool to spy and steal sensitive data; here, the main motive of the group is to spy on its victims and exfiltrate all the VPN passwords, email credentials, various documents, and browser cookies.

Evilnum APT Group and Its Infection Chain

This is not the first time as the Evilnum APT group had also attacked earlier in 2018, but this time they came up with some new ideas and tricks to steal all sensitive data of the victims. The Evilnum APT group mostly targets victims from the UK and EU, but this time they do attack some victims from Australia and Canada.

The experts affirmed that Evilnum had been detected using attack elements that are scripted in JavaScript and C#; they also use various tools from malware-as-a-service provider Golden Chickens. 

Not only this, but this group mainly uses spear-phishing emails to bypass all the ill-disposed files as scans of service bills, credit cards, driving licenses. It also includes other verifying documents that are needed by know-your-customer (KYC) management in the financial sector.

All these variations cover a change in the chain of infection and persistence, a new business that is increasing over time, and the use of a new Python-scripted Remote Access Trojan (RAT) Nocturnus dubbed as PyVil RAT.  

Key Findings

  • Attacking the Financial Sector
  • This time, Evilnum has come with new tricks and ideas.
  • Security experts are still investigating the group that has been actively exploiting different sectors.
  • Modified versions of legitimate executables, that remain undetected by security tools.
  • Experts have discovered a newly Python-scripted RAT that has been dubbed PyVil RAT; it was combined with py2exe, which has the ability to download all new modules to increase functionality. 
  • The infected chain shifts from a JavaScript Trojan with a backdoor ability to a multi-process delivery method of the payload.

PyVil: New Python RAT

The PyVil RAT allows the attackers to exfiltrate all the data, apply key-logging & take screenshots. It can also use secondary credential-harvesting tools like LaZagne; it’s an open-source application that is used to steal the passwords that are stored on a local computer.

PyVil RAT Supports Multiple Functionalities

The experts of cybersecurity frim Cybereason Nocturnus reported that this new version of PyVil is created with a multitude of functions and here they are mentioned below:- 

  • Keylogger
  • Running cmd commands
  • Taking screenshots
  • Downloading more Python scripts for extra functionality 
  • Dropping and uploading executables
  • Opening an SSH shell
  • Gathering all data such as Anti-virus products installed, USB devices connected, and Chrome versions.

Evilnum Aattack Patterns

Evilnum has always relied on spear-phishing emails that include ZIP archives housing 4 LNK files. That’s why its attack patterns and the new version is made with new ideas and tricks.

Vulnerable programs used 

The vulnerable programs that are used in this attack are:-

  • DDPP.exe
  • FPLAYER.exe

Mitigations

The experts of cybersecurity firm have suggested some mitigations that are to be applied by the business carefully:-

  • The business firm needs to evolve its stack of security tools continuously so that they can more easily root out the stealth tricks. 
  • Employees of enterprises should not open email attachments from unknown networks.
  • The business firms should not download any data from dubious websites.

Apart from this, the security researchers are still trying their best to bypass all the threats from Evilnum, and more importantly, the business firms need to be cautious regarding all these risks.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates

Also Read:

Lazarus APT Hackers Attack Japanese Organization Using Remote SMB Tool “SMBMAP” After Network Intrusion

PoetRAT – New Python RAT Attacking Government and Energy Sector Via Weaponized Word Documents

JhoneRAT – Hackers Launching New Cloud-based Python RAT to Steal Data From Google Drive, Twitter & Google Forms

Website

Latest articles

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...

Hackers Actively Exploiting Ray AI Framework Flaw to Hack Thousands of Servers

A critical vulnerability in Ray, an open-source AI framework that is widely utilized across...

Chinese Hackers Attacking Southeast Asian Nations With Malware Packages

Cybersecurity researchers at Unit 42 have uncovered a sophisticated cyberespionage campaign orchestrated by two...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles