Evilnum Hackers Have a New Python-Based RAT

An adversary known for targeting the Financial Cyber Sector, at least since 2018, has switched up its tactics to include a new Python-based remote access Trojan (RAT).[1]  This RAT can steal passwords, documents, browser cookies, email credentials, software licenses, and credentials for trading software/platforms, customer credit card information, and proof of address/identity documents, and other sensitive information.   The group is suspected of offering APT style hacker-for-hire services to other entities, a growing and worrying trend that is changing the threat landscape.[2]

In a recent report, cyber threat researchers following, the Evilnum group has not only bolstered its infection chain but has also deployed a Python RAT called "PyVil RAT," which provides hackers with several capabilities including:

  • Keylogging
  • Executing commands
  • Taking screenshots
  • Downloading additional Python-based scripts that act as modules
  • Downloading and uploading executables
  • Opening SSH shells
  • Collecting information about the system and installed programs such as antivirus, Google Chrome version or the connected USB devices

Malware written in Python is not a new development but is not common. Python is a scripting language that is popular with security professionals and hackers alike on Linux systems, but it does not execute natively on Windows and needs a separate runtime environment, similar to Java.  Python programs can be compiled directly into Windows executables that are self-contained, but because they have to include all the libraries usually provided by the runtime, their size ends up being quite large and this is something that is not appealing to malware authors.

Previous Evilnum attacks used a registry Run key to achieve persistence, but the new infection chain achieves this with a Windows Scheduled Task called the “Dolby Selector Task.”[3]  Dolby is the name for audio compression technology that is incorporated in various audio drivers.  The attackers hijack the name to make the scheduled task appear as if it was created by a legitimate system driver or component.  The attackers then use a Trojanized version of the legitimate Java Web Start Launcher program to execute malicious code, which then downloads the PyVil RAT.  This file manipulation breaks the original file's digital signature by Oracle, but people are used to executing non-digitally signed files on Windows.

"Since the first reports in 2018 through today, the group's TTPs have evolved with different tools while the group has continued to focus on fintech targets," Cybereason reports.  These variations include a change in the chain of infection and persistence, new infrastructure that is expanding over time, and the use of a new Python-scripted Remote Access Trojan (RAT)" to spy on its infected targets. 

Over the last two years, Evilnum has been linked to several malware campaigns against companies across the UK and EU involving backdoors written in JavaScript and C# as well as through tools bought from the Malware-as-a-Service (MaaS) provider Golden Chickens.[4]

Malware-as-a-Service (MaaS) is used within the e-Crime threat actor landscape.  It also provides details on two different threat actors using the MaaS that fall under the umbrella of a family referred to as Golden Chickens: GC01 and GC02.  The success of GC operations heavily relies on a specific MaaS sold in underground forums, which provides customers with the malware and the infrastructure they need for targeted attacks.  The service owner provides the MaaS through the use of the following toolkits: Venom and Taurus building kits for crafting documents used to deliver the attack, and the moreeggs (aka Terra Loader, SpicyOmelette) backdoor for taking full control of the infected computer.

7927840473?profile=RESIZE_710x

During July 2020, this APT group was found targeting companies with spear-phishing emails that contain a link to a ZIP file hosted on Google Drive to steal software licenses, customer credit card information, and investments and trading documents.  While the modus operandi of gaining an initial foothold in the compromised system remains the same, the infection procedure has witnessed a major shift.

7927841671?profile=RESIZE_400xBesides using spear-phishing emails with fake ‘know your customer’ (KYC) documents to trick employees of the finance industry into triggering the malware, the attacks have moved away from using JavaScript-based Trojans with backdoor capabilities to a bare-bones JavaScript dropper that delivers malicious payloads hidden in modified versions of legitimate executables in an attempt to escape detection.

"This JavaScript is the first stage in this new infection chain, culminating with the delivery of the payload, a Python written RAT compiled with py2exe that Nocturnus researchers dubbed PyVil RAT," the researchers said.  The multi-process delivery procedure ("ddpp.exe"), upon execution, unpacks shellcode to establish communication with an attacker-controlled server and receive a second encrypted executable ("fplayer.exe") that functions as the next stage downloader to fetch the Python RAT.

"In previous campaigns of the group, Evilnum's tools avoided using domains in communications with the C2, only using IP addresses," the researchers noted.  "While the C2 IP address changes every few weeks, the list of domains associated with this IP address keeps growing."

7927842261?profile=RESIZE_400xWhile Evilnum's exact origins remain unclear, it is evident that their constant improvisation of TTPs has helped them stay under the radar. As the APT's techniques continue to evolve, it is essential that businesses remain vigilant and employees monitor their emails for phishing attempts and exercise caution when it comes to opening emails and links.

Red Sky Alliance has been analyzing and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports.  The installation, updating, and monitoring of firewalls, cybersecurity, and proper employee training are keys to blocking attacks.  Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis on your organization.

What can you do to better protect your organization today?

  • All data in transmission and at rest should be encrypted.
  • Proper data back-up and off-site storage policies should be adopted and followed.
  • Implement 2-Factor authentication company-wide.
  • Join and become active in your local Infragard chapter, there is no charge for membership. infragard.org
  • Update disaster recovery plans and emergency procedures with cyber threat recovery procedures. And test them.
  • Institute cyber threat and phishing training for all employees, with testing and updating.
  • Recommend/require cybersecurity software, services, and devices to be used by all at home working employees and consultants.
  • Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.
  • Ensure that all software updates and patches are installed immediately.
  • Enroll your company/organization in RedXray for daily cyber threat notifications are directed at your domains. RedXray service is $500 a month and provides threat intelligence on nine (9) cyber threat categories including Keyloggers, with having to connect to your network.  Ransomware protection is included at no charge for RedXray customers.
  • Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments, or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com.  

Red Sky Alliance can help protect with attacks such as these.  We provide both internal monitoring in tandem with RedXray notifications on ‘external’ threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting.

Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com

 

 

[1] https://thehackernews.com/2020/09/evilnum-hackers.html

[2] https://www.csoonline.com/article/3573081/apt-style-mercenary-groups-challenge-the-threat-models-of-many-organizations.html

[3] https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/

[4] https://medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!