This report is about PyXie Group's advanced ransomware campaign. The bad actor has developed three different notable tools each providing a means to an end by the financially-motivated group. The focus of the PyXie group is distributing ransomware across various sectors including healthcare, education, government, and technology.
PyXie's ransomware tools start by gaining a foothold in the affected organization’s network by using either commodity malware or by using their custom loader called Vatet. Vatet once installed on victim’s system, executes XOR encoded shellcode from the local disk or using a network share. The loader portion is often a well-known application such Notepad, Notepad++, or a Tetris game. The payload injections typically result in Cobalt Strike which is used to setup beaconing and/or staging. The most up-to-date versions of the Vatet loader will inject a payload of the PyXie RAT (Remote Access Trojan). Vatet’s latest iteration will load the payloads from the local disk and will delete malicious payloads once they have been loaded into memory for execution.
The execution flowchart can be seen below for more information:
The RAT trojan primarily loaded by the Vatet malware is often referred to as PyXie Lite and contains a smaller codebase than the original. The lite version is designed to pull data from the infected host such as Cookie data, Citrix data, KeePass safes, password collection, and PowerShell history. The RAT can scan the network for other possible lateral movement avenues.
Additionally, there is a built-in version of Mimikatz should the need arise for credential harvesting which may be useful for deploying the Defray777 ransomware. The malware has hardcoded keywords that it uses on systems related to national defense, financial data, and cryptocurrency. Once all the data has been enumerated and gathered, the malware compresses it in a zip archive and encrypts using AES in CBC mode. The data is then sent to the command & control server over a specified network port.
The Defray777 ransomware family has a few unique features that should be covered in detail. The ransomware has separate standalone binaries for both the Linux and Windows operating systems. When the ransomware is installed, it avoids certain critical elements of the operating system to keep the affected device bootable and somewhat intact. The ransomware also queries that system for information that indicates the computational complexity of the device such as SSE2 support.
Security and IT professionals are highly encouraged to:
Want a prima on creating an incident response plan for your company? Watch this webcast by Paul Caiazzo, senior vice president of security and compliance, as he steps through the five essentials steps to an incident response plan.
Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.
This informed analysis is based on the latest data available.