The Evilnum group, which specializes in targeting financial technology companies, has debuted a new tool: A Python-based remote access trojan (RAT), dubbed PyVil. The malware’s emergence dovetails with a change in the chain of infection and an expansion of infrastructure for the APT.
According to researchers at Cybereason, PyVil RAT enables the attackers to exfiltrate data, perform keylogging and take screenshots, and can roll out secondary credential-harvesting tools such as LaZagne (an open source application used to retrieve passwords stored on a local computer).
Evilnum first emerged in 2018 using an eponymous JavaScript malware, and since then, it has developed various components written in JavaScript and C# (such as Cardinal RAT). It’s also been seen making use of malware-as-a-service offerings from an underground provider known as Golden Chickens, according to an analysis published Thursday (these tools include More_eggs, TerraPreter, TerraStealer and TerraTV).
The latest series of campaigns observed by Cybereason that use PyVil RAT are widespread yet targeted, taking aim at FinTech companies across the U.K. and E.U. The attack vector is spear-phishing emails, which use the Know Your Customer regulations (KYC) as a lure.
“It’s ironic that threat actors would be involved in such a campaign that abuses the ‘Know Your Customer’ regulations, the process by which companies vet new customers and partners,” Tom Fakterman, threat researcher at Cybereason, told Threatpost in an interveiw. “The Know Your Customer process works in the manner that allows two companies to share proprietary info about each other during the vetting process to ensure neither party is involved in corruption, bribery, money laundering, etc. So in effect, the threat actors are preying on the FinTech companies by sending fraudulent information and documents that look real.”
A New RAT Sets Up Its Nest
PyVil RAT was compiled with py2exe, which is a Python extension which converts Python scripts into Microsoft Windows executables. This gives the RAT the capability to download new modules to expand functionality.
“The Python code inside the py2exe is obfuscated with extra layers, in order to prevent decompilation of the payload using existing tools,” according to the research. “Using a memory dump, we were able to extract the first layer of Python code. The first piece of code decodes and decompresses the second layer of Python code. The second layer of Python code decodes and loads to memory the main RAT and the imported libraries.”
PyVil RAT also has a configuration module that holds the malware’s version, command-and-control (C2) domains and instructions for which browser to use when communicating with the C2. The C2 communications are done via POST HTTP requests and are RC4 encrypted using a hardcoded key encoded with Base64, according to the analysis.
Cybereason found that PyVil RAT has a host of functionality commands, including: Act as a keylogger; run CMD commands; take screenshots; drop and upload other Python scripts and executables; open an SSH shell; and collect information such as the antivirus products installed on the machine, Chrome version and which USB devices are connected. During Cybereason’s analysis, PyVil RAT also received from the C2 a custom version of LaZagne, which the Evilnum group has used in the past.
Interestingly, Evilnum’s C2 infrastructure is growing and expanding as well.
“While the C2 IP address changes every few weeks, the list of domains associated with this IP address keeps growing,” the researchers explained. “A few weeks ago, three domains associated with the malware were resolved to the same IP address. Shortly thereafter, the C2 IP address of all three domains changed. In addition, three new domains were registered with the same IP address and were used by the malware. A few weeks later, this change occurred again. The resolution address of all domains changed in the span of a few days, with the addition of three new domains.”
Changing Up the Infection Routine
Evilnum has debuted other new tricks in tandem with rolling out PyVil RAT, the researchers noted. For instance, the infection chain has changed to include a multi-process delivery routine for the payload – as opposed to relying on a first-stage JavaScript Trojan with backdoor capabilities to establish an initial foothold on a target.
Within this, the group is using modified versions of legitimate executables in an attempt to remain undetected by security tools, he added.
Evilnum in the past has always relied on spear-phishing emails containing ZIP archives housing four LNK files, according to the analysis. The LNK files masquerade as photos of drivers’ licenses, credit cards and utility bills; but when a target clicks on it, the Evilnum JavaScript trojan is deployed, which connects to the C2 and sets about its espionage work.
“Up to this date, as described in this publication, six different iterations of the JavaScript trojan have been observed in the wild, each with small changes that don’t alter the core functionality,” the researchers said. “The JavaScript agent has functionalities such as upload and download files, steal cookies, collect antivirus information, execute commands and more.”
The new routine, in contrast, is multi-stage and complex. It starts by including just one LNK file in the ZIP archive attached to an email. When the LNK file is executed, a different JavaScript file is called, which acts only as a first-stage dropper, with no C2 capabilities (the file name is ddpp.exe).
“The ddpp.exe executable appears to be a version of [Oracle’s legitimate] Java Web Start Launcher, modified to execute malicious code,” according to Cybereason. “When comparing the malware executable with the original Oracle executable, we can see the similar metadata between the files. The major difference at first sight is that the original Oracle executable is signed, while the malware is not.”
The dropper creates a scheduled task named “Dolby Selector Task,” which begins a second stage of retrieving the payload by unpacking shellcode. This shellcode connects to the C2 using a GET request, and receives back another encrypted executable, which is saved to disk as “fplayer.exe.”
“fplayer.exe appears to be a modified version of [Nvidia’s legitimate] Stereoscopic 3D driver Installer,” the analysis detailed. “In here as well, we can see the similar metadata between the files with the difference being that the original Nvidia executable is signed, while the malware is not.”
When executed, fplayer.exe file unpacks more shellcode, which forms its own C2 connection and downloads yet another payload – the final piece of code. This is decrypted, then loaded to memory and serves as a fileless RAT: a.k.a., PyVil.
“EvilNum knows what they are doing, as they regularly change their TTPs to avoid detection,” Fakterman told Threatpost. “In the case of the Nocturnus research, EvilNum is using several new tricks as we discovered a significant deviation from the infection chain, persistence, infrastructure and previously observed tools. We expect EvilNum to continue to grow its arsenal of tools in the future with more innovative tactics and tools to allow them to stay under the radar.”
To protect themselves, businesses should take basic precautions when it comes to email security hygiene, Fakterman noted.
“Time and time again threat actors revert to the time-tested infection method of phishing emails,” he said. “Enterprises need to constantly evolve their stack of security tools to more easily root out the stealth tactics being deployed. The employees of enterprises shouldn’t be opening email attachments from unknown sources and should avoid downloading information from dubious websites.”
On Wed Sept. 16 @ 2 PM ET: Learn the secrets to running a successful Bug Bounty Program. Register today for this FREE Threatpost webinar “Five Essentials for Running a Successful Bug Bounty Program“. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this LIVE webinar.