New PyVil RAT/Advanced Persistent Threat Appears in Evilnum Malware's Arsenal

Evilnum APT attackEvilnum is the name of an Advanced Persistent Threat group or APT for short. Security experts first spotted the group in 2018. For its relatively short existence, Evilnum has been involved in a number of attacks. While the tools used by the cybercriminals have changed over time, the targets have remained consistent. Evilnum has been and continues to go after financial technology (fintech) companies. Evilnum’s activities have been focused on companies in the EU and UK although there are cases of targets located in Canada and Australia. One of the most recent additions to Evilnum’s arsenal is a remote access trojan written in Python that the researchers called PyVil RAT.

In recent attacks Evilnum don’t deviate from their MO. They still favor precisely targeted spear phishing attacks over wider more generic phishing campaigns. In previous attacks the cybercriminals would archive four different .lnk files using zip. Those files would later be replaced by a .jpg file. With PyVil RAT Evilnum chose to archive just one .lnk posing as a .pdf containing various documents like credit card photos, bills, or ID photos.
Previously, the .lnk file would write a JavaScript file to the disk and executing it would replace the .lnk with a .pdf. This time around, JavaScript is only used as a dropper in the infection chain. The end result is the PyVil RAT is downloaded and then compiled using the Python Distutils extension py2exe.

The PyVil RAT has many functions to accommodate the needs of the cybercriminals. Some of its most notable features include:

  • Keylogger
  • Running cmd commands
  • Taking screenshots
  • Downloading additional Python modules
  • Dropping and uploading executable files
  • Starting an SSH shell
  • System data Collection

PyVil RAT is modular. The RAT contains a configuration module that can provide the current version of PyVil RAT as well as domains for the C&C servers and software agents for C&C communication. The C&C communication goes through POST HTTP requests. Evilnum use an RC4 stream cipher with a hardcoded key encoded with base64 for C&C communication encryption. The modular functionality is enabled through a custom version of the LaZagne Project that PyVil can receive from the C&C server.

The PyVil RAT is just one of the new tools employed by Evilnum. Similarly to many other APT groups, like APT29 for example, Evilnum are constantly working on new techniques and tactics. This allows this type of cybercriminals to pose a significant threat to cybersecurity at any level.

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.