Categories: MalwareUncategorized

Evilnum APT used Python-based RAT PyVil Tool To Spy and Steal the Sensitive Data

Recently, the Evilnum APT group used the Python-based RAT PyVil tool to spy and steal sensitive data; here, the main motive of the group is to spy on its victims and exfiltrate all the VPN passwords, email credentials, various documents, and browser cookies.

Evilnum APT Group and Its Infection Chain

This is not the first time as the Evilnum APT group had also attacked earlier in 2018, but this time they came up with some new ideas and tricks to steal all sensitive data of the victims. The Evilnum APT group mostly targets victims from the UK and EU, but this time they do attack some victims from Australia and Canada.

The experts affirmed that Evilnum had been detected using attack elements that are scripted in JavaScript and C#; they also use various tools from malware-as-a-service provider Golden Chickens. 

Not only this, but this group mainly uses spear-phishing emails to bypass all the ill-disposed files as scans of service bills, credit cards, driving licenses. It also includes other verifying documents that are needed by know-your-customer (KYC) management in the financial sector.

All these variations cover a change in the chain of infection and persistence, a new business that is increasing over time, and the use of a new Python-scripted Remote Access Trojan (RAT) Nocturnus dubbed as PyVil RAT.  

Key Findings

  • Attacking the Financial Sector
  • This time, Evilnum has come with new tricks and ideas.
  • Security experts are still investigating the group that has been actively exploiting different sectors.
  • Modified versions of legitimate executables, that remain undetected by security tools.
  • Experts have discovered a newly Python-scripted RAT that has been dubbed PyVil RAT; it was combined with py2exe, which has the ability to download all new modules to increase functionality.
  • The infected chain shifts from a JavaScript Trojan with a backdoor ability to a multi-process delivery method of the payload.

PyVil: New Python RAT

The PyVil RAT allows the attackers to exfiltrate all the data, apply key-logging & take screenshots. It can also use secondary credential-harvesting tools like LaZagne; it’s an open-source application that is used to steal the passwords that are stored on a local computer.

PyVil RAT Supports Multiple Functionalities

The experts of cybersecurity frim Cybereason Nocturnus reported that this new version of PyVil is created with a multitude of functions and here they are mentioned below:- 

  • Keylogger
  • Running cmd commands
  • Taking screenshots
  • Downloading more Python scripts for extra functionality
  • Dropping and uploading executables
  • Opening an SSH shell
  • Gathering all data such as Anti-virus products installed, USB devices connected, and Chrome versions.

Evilnum Aattack Patterns

Evilnum has always relied on spear-phishing emails that include ZIP archives housing 4 LNK files. That’s why its attack patterns and the new version is made with new ideas and tricks.

Vulnerable programs used 

The vulnerable programs that are used in this attack are:-

  • DDPP.exe
  • FPLAYER.exe

Mitigations

The experts of cybersecurity firm have suggested some mitigations that are to be applied by the business carefully:-

  • The business firm needs to evolve its stack of security tools continuously so that they can more easily root out the stealth tricks.
  • Employees of enterprises should not open email attachments from unknown networks.
  • The business firms should not download any data from dubious websites.

Apart from this, the security researchers are still trying their best to bypass all the threats from Evilnum, and more importantly, the business firms need to be cautious regarding all these risks.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates

Also Read:

Lazarus APT Hackers Attack Japanese Organization Using Remote SMB Tool “SMBMAP” After Network Intrusion

PoetRAT – New Python RAT Attacking Government and Energy Sector Via Weaponized Word Documents

JhoneRAT – Hackers Launching New Cloud-based Python RAT to Steal Data From Google Drive, Twitter & Google Forms

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Threat Actors Manipulate Search Results to Lure Users to Malicious Websites

Cybercriminals are increasingly exploiting search engine optimization (SEO) techniques and paid advertisements to manipulate search…

1 day ago

Hackers Imitate Google Chrome Install Page on Google Play to Distribute Android Malware

Cybersecurity experts have unearthed an intricate cyber campaign that leverages deceptive websites posing as the…

1 day ago

Dangling DNS Attack Allows Hackers to Take Over Organization’s Subdomain

Hackers are exploiting what's known as "Dangling DNS" records to take over corporate subdomains, posing…

1 day ago

HelloKitty Ransomware Returns, Launching Attacks on Windows, Linux, and ESXi Environments

Security researchers and cybersecurity experts have recently uncovered new variants of the notorious HelloKitty ransomware,…

1 day ago

RansomHub Ransomware Group Hits 84 Organizations as New Threat Actors Emerge

The RansomHub ransomware group has emerged as a significant danger, targeting a wide array of…

1 day ago

Threat Actors Leverage Email Bombing to Evade Security Tools and Conceal Malicious Activity

Threat actors are increasingly using email bombing to bypass security protocols and facilitate further malicious…

2 days ago