This threat report is about threat actor Evilnum’s new remote access trojan (RAT) called PyVil and provides actionable intelligence on how to avoid it.
The trojan is built off a new infection chain the threat actor utilizes to propagate malware. The infection chain is very complex and offers a unique method to maintain a fileless presence on the affected host.
The goal of this new infection chain seems to be for financial gain and primarily targets financial institutions.
The early infection process is shown below:
The scheduled task is set up to maintain long-term persistence in the infected device and create a mechanism for pulling down more payloads. The next set of payloads lead to the final remote access trojan being set up on the host which has been written in Python. The bad actor also attempts to dump the existing credentials on the affected host.
Once the Python-based RAT is installed, it runs the rest of its operations in memory. Communication with the command & control infrastructure uses RC4 encryption using hardcoded keys with Base64 encoding. Information transmitted about the infected machine occurs in JSON.
It is highly encouraged that you perform the following actions to avoid this malware campaign:
With the prevalence, severity, and sophistication of cybersecurity attacks growing by the day, businesses of all types and sizes are scrambling to protect themselves. This best practices guide takes you through the 8 essential steps to managing a data breach. Download now.
Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.
This informed analysis is based on the latest data available.