Researchers at Cybereason Nocturnus say that the Evilnum advanced persistent threat (APT) group has been using a new Python-based remote access trojan (RAT) in attempts to steal sensitive data from financial technology organisations.
The group's main goal is to spy on its targets and exfiltrate VPN passwords, email credentials, classified documents and browser cookies.
Evilnum first appeared in 2018, when it employed a variety of attack tactics to target fintech firms across the UK and Europe. The group specifically used spear-phishing emails to pass malicious files as scans of utility bills, credit cards, driving licenses and other verification documents required by know-your-customer (KYC) regulations in the financial sector.
The researchers suspect that Evilnum also provides APT-style hacker-for-hire services to other threat groups.
Cybereason researchers, who have been observing Evilnum for the past two years, claim to have noticed many changes in its infrastructure and infection chain, enabling the group to evade detection.
According to researchers, PyVil is designed with a multitude of capabilities, such as downloading additional Python scripts, delivering more executables, stealing credentials, opening SSH shells and running commands on the system.
The malware is also able to take screenshots, perform keylogging and gather vital information, such as the antivirus products installed on the system, the Chrome version running and connected USB devices.
The code within the executable remains concealed under extra layers to prevent decompilation of the payload and to enable the RAT to perform its functions.
The researchers have also noticed the PyVil RAT downloading a custom version of a password dumping tool called LaZagne. This post-exploitation tool is written in Python and is popular among penetration testers. It can extract passwords from various applications, including chat programmes, browsers, databases, games and more.
"This innovation in tactics and tools is what allowed the group to stay under the radar, and we expect to see more in the future as the Evilnum group's arsenal continues to grow," the researchers said.
The flaw could have allowed attackers to access private conversations, channels, passwords, keys and tokens, and various functions within the app
The primary aim of the campaign is to fund the North Korean government
More than 1,200 iOS apps use Mintegral's malicious SDK
The Lucifer malware infects machines and forms a botnet to mine cryptocurrency
Hackers are sending spam mails that purport to come from big defence contractors to trap potential targets