The PyVil RAT is a new malware tool that has been added to the arsenal of the Advanced Persistent Threat ( ATP) group Evilnum. Evilnum has been active for a couple of years. During that period, it has been updating its malware toolkit with both homemade threats constantly and buying Ransomware-as-a-Service (RaaS) programs. The hackers' main target are organizations within the financial technology sector located primarily in the UK and EU but with a smaller number of victims being from Canada and Australia. 

The PyVil RAT Exploits Code Taken from Legitimate Applications to Avoid Detection 

The new tool employed by Evilnum is a Remote Access Trojan (RAT) written in Python that the named PyVil. This malware threat has expanded capabilities and is deployed through a multi-stage attack chain. The threatening campaign begins with highly-targeted spear-phishing emails that carry a LNK file posing as a PDF file containing important documentation, such as credit card and Drivers' license photos or utility bills. The LNK file writes a JavaScript file named 'ddpp.exe' on the victim's system that acts as a first-stage dropper and cannot communicate with the criminals' Command-and-Control (C2) infrastructure. The malware gains persistence by creating a Scheduled task named 'Dolby Selector Task' for the 'ddpp.exe' file. The ddpp file appears to be a modified 'Java(™) Web Start Launcher' with significant chunks of the legitimate code left intact.

The second stage of the attack is initiated by the Dolby Selector Task, as it unpacks a shellcode that connects to the C2 server and retrieves a payload file named 'fplayer.exe.' This new file is stored at a predefined location at 'localappdata%\microsoft\media player\player\fplayer.exe' and is executed through a new scheduled task called 'Adobe Update Task.' The same tactic to copy a legitimate installer is used again, but this time, fplayer.exe is a modified version of Nvidia's Stereoscopic 3D driver Installer. To progress to the next stage, fplayer.exe unpacks another shellcode that once again connects to the C2 server, but this time the final PyVil RAT payload is pushed to the compromised system.

The PyVil RAT Possesses a Vast Array of Functions

Once it has finally been download and executed, the PyVil RAT begins to operate according to the commands it receives from the C2 structure. The malware has keylogging abilities and can take screenshots. It can run cmd commands, open SSH shells, as well as download and upload executable files. Furthermore, it is a potent infostealer, as it can probe the infected system for connected USB devices, Chrome version and list installed anti-malware programs.

The PyVil RAT can be used to drop additional Python modules, which adds new capabilities to the malware effectively. In fact, cybersecurity researchers observed that during the attack, the PyVil RAT received a Python module from the C2 server that was a modified version of the LaZagne Project. The new script can collect cookie information and attempts to exfiltrate passwords to the C2 server.


Most Viewed