AridViper group strikes with a new PyMICROPSIA trojan

PaloAlto newly-discovered malware is crafted to steal browser credentials and other sensitive information from Windows computers

PyMICROPSIA info-stealerPyMICROPSIA info stealer is a new addition to AridViper group's arsenal

PaloAlto Unit 42 researchers have recently discovered a new Trojan while investigating and APT group AridViper, which actively targets Middle Eastern organizations. Dubbed PyMICROPSIA, it is capable of harvesting browser credentials and other sensitive information from an infected Windows system using various techniques. Besides its primary function of info-stealing, the malware is also capable of much more, including control of various system processes and additional payload download and execution.

According to findings, the cybercriminal gang is extremely active and is currently developing new malware samples based on an already established MICROPSIA Trojan. Precisely for this reason, the new strain was titled PyMICROPSIA, and due to the fact that it is written in Python programming language.

Researchers wrote that they managed to identify two samples during the investigation:[1]

While investigating PyMICROPSIA capabilities, we identified two additional samples hosted in the attacker’s infrastructure, which are downloaded and used by PyMICROPSIA during its deployment. The additional samples provide persistence and keylogging capabilities, which we discuss later.

After thorough analysis, it also came to light that several Trojan's sections are not utilized to their full capacity (or not utilized at all), which is one of the main indications that malware is still in development and is likely to receive major updates in the future, increasing its scope.

PyMICROPSIA capabilities and similarities to MICROPSIA malware

Unit 42 researchers spotted multiple PyMICROPSIA overlaps with other AridViper tools like MICROPSIA, such as the download of rar.exe from Command and Control (C2)[2] infrastructure to archive the data for extraction. Also, both trojan horse samples contain multiple references to threat actors both in code variables and in infrastructure.[3]

As described by experts, trojan seems to have multiple advanced functions:

This malware sample has a rich set of information-stealing and control capabilities, whether they’re reachable in the current C2 implementation or not. <…>

Once the initial setup is complete, the malware capabilities start by entering into a loop (see Figure 3) where:

  • Several independent threads for audio recording and file uploading are started.
  • Specific tasks are run periodically, covering the following main areas: persistence, keylogging, screenshots and interaction with the C2 operator.

Since APT is experienced, it is not surprising that the capabilities of the operated malware are quite extensive. PyMICROPSIA is capable of performing the following commands:

  • Keylogging
  • Screenshot taking
  • File uploading
  • Deleting, creating, compressing, and exfiltrating files and folders
  • Recording audio
  • Gathering data from USB flash drives, including file extraction
  • Compressing RAR files
  • Browser credential stealing, etc.

APT behind PyMICROPSIA exploring new platforms: researchers found code fragments relating to POSIX and darwin

AridViper is a relentless group in new trojan development. While evidence was found the malware is not yet finished when it comes to its functions, the attackers are already planning ahead – they are not limiting only with Windows.

During the research, an interesting detail was found. Although PyMICROPSIA targets only computers running on the Windows operating system, code fragments were searching for other two OS – POSIX (Portable Operating System Interface)[4] and darwin (open-source Unix-like operating system).[5]

Researchers say that this discovery is quite interesting, as the AridViper actors seem to be exploring new possibilities in targeting different operating systems besides Windows. While the code found within samples for other operating systems is relatively primitive, experts claimed that they are going to keep an eye on this feature in future campaigns.

About the author
Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

Ugnius Kiguolis is a professional malware analyst who is also the founder and the owner of 2-Spyware. At the moment, he takes over as Editor-in-chief.

Contact Ugnius Kiguolis
About the company Esolutions