New Python-scripted trojan malware targets fintech companies

PyVil RAT is capable of keylogging, taking screenshots and more - and the those behind it have gone to great lengths to keep it as under the radar as possible.
Written by Danny Palmer, Senior Writer

A well-resourced hacking operation has deployed newly developed trojan malware in a campaign targeting financial tech organisations with the aim of stealing email addresses, passwords and other sensitive corporate information – and the malicious code is bundled inside code ripped from legitimate applications.

Known as Evilnum, the advanced persistent threat (APT) group first emerged in 2018 and one of the reasons for their success is how often they've changed tools and tactics as they take aim at targets related to Fintech mostly located in Europe and the UK, although some victims are located in the Americas and Australia.

Evilnum's activity has been varied, with reports of it using different components written in Javascript and C#, and now it has deployed another new tool for attacks. This time, it's a Python-scripted remote access trojan (RAT) that emerged in recent weeks alongside a new spate of targeted attacks.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  

Uncovered by cybersecurity researchers at Cybereason who've dubbed it PyVil RAT, the trojan allows attackers to secretly steal corporate information through the use of keylogging and taking screenshots, as well as the ability to collect information about the infected system, including which version of Windows is running, what anti-virus products are installed and whether USB devices are connected.

Previous Evilnum attacks have begun with highly targeted spear-phishing emails and the PyVil delivery campaign is similar, although rather than delivering Zip archives like before, the compromise begins with emails containing an LNK file masquerading as a PDF.

The phishing emails claim to contain identification documents associated with banking, including utility bills, credit-card statements and even drivers' license photos.

If opened, the file will start a sequence that ultimately sees the compromised machine connected to Evilnum's command and control servers and the trojan malware dropped onto the system, and able to to provide instructions and potential additional functionality to PyVil – all while staying hidden from the victim.

One of the reasons the new trojan is able to do this is because the malicious code is obfuscated behind many different layers, including being bundled inside code from legitimate software that has somehow been plucked and wrapped around the malware.

"This tactic works to their advantage in several ways, including avoiding detection and maintaining persistence – the abuse of legitimate code is more common with more sophisticated actors," Tom Fakterman, threat researcher at Cybereason, told ZDNet.

SEE: Programming languages: Developers reveal what they love and loathe, and what pays best

While it remains unclear who the cyber criminals behind Evilnum ultimately are, the highly targeted nature of the attacks combined with the way in which they're constantly changing their tactics leads researchers to believe that it's a highly professional, well-resourced campaign.

Evilnum is thought to remain active and it's likely only a matter of time before the group changes it's tools and techniques for targeting organisations in the Fintech space once more.

"We still see samples of the malware pop up and we see that the threat actors' infrastructure is still active. The best way of protection is education, improving security hygiene and teaching employees not to be duped into opening phishing emails and not downloading information from dubious websites," Fakterman said.


Editorial standards