Python-based Spy RAT Emerges to Target FinTech

2020-09-03 15:28

The malware's emergence dovetails with a change in the chain of infection and an expansion of infrastructure for the APT. According to researchers at Cybereason, PyVil RAT enables the attackers to exfiltrate data, perform keylogging and take screenshots, and can roll out secondary credential-harvesting tools such as LaZagne.

The latest series of campaigns observed by Cybereason that use PyVil RAT are widespread yet targeted, taking aim at FinTech companies across the U.K. and E.U. The attack vector is spear-phishing emails, which use the Know Your Customer regulations as a lure.

PyVil RAT was compiled with py2exe, which is a Python extension which converts Python scripts into Microsoft Windows executables.

"Using a memory dump, we were able to extract the first layer of Python code. The first piece of code decodes and decompresses the second layer of Python code. The second layer of Python code decodes and loads to memory the main RAT and the imported libraries."

During Cybereason's analysis, PyVil RAT also received from the C2 a custom version of LaZagne, which the Evilnum group has used in the past.

News URL

https://threatpost.com/python-spy-rat-target-fintech/158934/

#fintech #python #RAT #SPY