Security News > 2020 > September > Evilnum hackers targeting financial firms with a new Python-based RAT

An adversary known for targeting the fintech sector at least since 2018 has switched up its tactics to include a new Python-based remote access Trojan that can steal passwords, documents, browser cookies, email credentials, and other sensitive information.

In an analysis published by Cybereason researchers yesterday, the Evilnum group has not only tweaked its infection chain but has also deployed a Python RAT called "PyVil RAT," which possesses abilities to gather information, take screenshots, capture keystrokes data, open an SSH shell and deploy new tools.

"These variations include a change in the chain of infection and persistence, new infrastructure that is expanding over time, and the use of a new Python-scripted Remote Access Trojan" to spy on its infected targets.

"This JavaScript is the first stage in this new infection chain, culminating with the delivery of the payload, a Python written RAT compiled with py2exe that Nocturnus researchers dubbed PyVil RAT," the researchers said.

The multi-process delivery procedure, upon execution, unpacks shellcode to establish communication with an attacker-controlled server and receive a second encrypted executable that functions as the next stage downloader to fetch the Python RAT. "In previous campaigns of the group, Evilnum's tools avoided using domains in communications with the C2, only using IP addresses," the researchers noted.

News URL

http://feedproxy.google.com/~r/TheHackersNews/~3/xUbJtSiDEEw/evilnum-hackers.html