The PyVil RAT is a new malware tool that has been added to the arsenal of the Advanced Persistent Threat ( ATP) group Evilnum. Evilnum has been active for a couple of years. During that period, it has been updating its malware toolkit with both homemade threats constantly and buying Ransomware-as-a-Service (RaaS) programs. The hackers' main target are organizations within the financial technology sector located primarily in the UK and EU but with a smaller number of victims being from Canada and Australia.
The PyVil RAT Exploits Code Taken from Legitimate Applications to Avoid Detection
The second stage of the attack is initiated by the Dolby Selector Task, as it unpacks a shellcode that connects to the C2 server and retrieves a payload file named 'fplayer.exe.' This new file is stored at a predefined location at 'localappdata%\microsoft\media player\player\fplayer.exe' and is executed through a new scheduled task called 'Adobe Update Task.' The same tactic to copy a legitimate installer is used again, but this time, fplayer.exe is a modified version of Nvidia's Stereoscopic 3D driver Installer. To progress to the next stage, fplayer.exe unpacks another shellcode that once again connects to the C2 server, but this time the final PyVil RAT payload is pushed to the compromised system.
The PyVil RAT Possesses a Vast Array of Functions
Once it has finally been download and executed, the PyVil RAT begins to operate according to the commands it receives from the C2 structure. The malware has keylogging abilities and can take screenshots. It can run cmd commands, open SSH shells, as well as download and upload executable files. Furthermore, it is a potent infostealer, as it can probe the infected system for connected USB devices, Chrome version and list installed anti-malware programs.
The PyVil RAT can be used to drop additional Python modules, which adds new capabilities to the malware effectively. In fact, cybersecurity researchers observed that during the attack, the PyVil RAT received a Python module from the C2 server that was a modified version of the LaZagne Project. The new script can collect cookie information and attempts to exfiltrate passwords to the C2 server.