This trojan malware is being used to steal passwords and spread ransomware

PyXie RAT capabilities include keylogging, stealing login credentials and recording videos, warn researchers at BlackBerry Cylance - who also say the trojan can be used to distribute other attacks, including ransomware.
Written by Danny Palmer, Senior Writer

A newly discovered hacking campaign by a 'sophisticated cyber-criminal operation' is targeting healthcare and education organisations with custom-built, Python-based trojan malware that gives attackers almost control of Windows systems with the ability to monitor actions and steal sensitive data.

Malicious functions of the remote access trojan, dubbed PyXie RAT, include keylogging, credential harvesting, recording video, cookie theft, the ability to perform man-in-the-middle attacks and the capability to deploy other forms of malware onto infected systems.

All of this is achieved while clearing evidence of suspicious activity in an effort to ensure the malware isn't discovered.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

However, traces of the attacks have been found and detailed by cybersecurity researchers at Blackberry Cylance, who named the malware PyXie because of the way its compiled code uses a '.pyx' file extension instead of the '.pyc' typically associated with Python.

PyXie RAT has been active since at least 2018 and is highly customised, indicating that a lot of time and resources have gone into building it.

"The custom tooling and the fact it has remained under the radar this long definitely shows a level of obfuscation and stealth in line with a sophisticated cyber-criminal operation," Josh Lemos, VP of research and intelligence at Blackberry Cylance, told ZDNet.

The malware is typically delivered to victims by a sideloading technique that leverages legitimate applications to help compromise victims. One of these applications uncovered by researchers was a trojanized version of an open-source game, which if downloaded, will go about secretly installing the malicious payload, using PowerShell to escalate privileges and gain persistence on the machine.

A third stage of the multi-level download sees PyXie RAT leverage something known in the code as 'Cobalt Mode' that connects to a command and control server as well as downloading the final payload.

This stage of the download takes advantage of Cobalt Strike – a legitimate penetration testing tool – to help install the malware. It's a tactic that is often deployed by cyber-criminal gangs and something that aids in making attacks more difficult to attribute.

This particular downloader also has similarities with another used to download the Shifu banking trojan. However, it could simply be a case of criminals taking open source – or stolen – code and re-purposing it for their own ends.

"An advantage of utilizing a widely used tool such as Cobalt Strike is it makes attribution difficult since it is used by many different threat actors as well as legitimate pentesters. With the Shifu banking trojan similarities, it is unclear if it is the same actors or if someone else reused some of its code," said Lemos.

Once successfully installed on the target system, the attackers can can move around the system and implement commands as they please. In addition to being used to steal usernames, passwords and any other information in the system, researchers note that there are cases of PyXie being used to deliver ransomware to compromised networks.

"This is a full-featured RAT that can be leveraged for a wide range of goals and the actors will have different motives depending on the target environment. The fact it has been used in conjunction with ransomware in a few environments indicates that the actors may be financially motivated, at least in those instances," said Lemos.

SEE: Authorities take down 'Imminent Monitor' RAT malware operation

The full extent of the PyXie RAT campaign still isn't certain, but researchers have identified attacks against over 30 organisations, predominately in the healthcare and education industries, with hundreds of machines believed to have been infected.

Aside from likely being a well-resourced cyber criminal group, it's currently unknown who exactly is behind PyXie RAT, but the campaign is still thought to be active.

However, despite the sophisticated nature of the malware, researchers state that it can be protected against by standard cyber hygiene and enterprise security best practices, including operating system and application patching, endpoint-protection technology, auditing, logging and monitoring of endpoint and network activity, and auditing of credential use.


Editorial standards