Evilnum group’s Python-based RAT impersonates legitimate programs

Evilnum ATP hacker group change tactics and targets financial firms with new Python-based malware

Operations of the Evilnum ATP group revealed the new malware and the usage of other tools. The Advanced Persistent Threat group named Evilnum used Python remote access trojan in attacks on financial tech organizations.^[1] Spear-phishing attack allowed hackers to hide in the Windows system as several legitimate programs, so the RAT could work as it was designed for and exfiltrate data, run various commands.^[2] Targets were mainly UK and Europe fintech firms.^[3]

The remote access trojan that was employed, is written in Python programming language, and its functions include keylogging, making screenshots of the materials in infected devices, and directly exfiltrating data. The code also includes a particular function allowing the trojan to use tools like LaZagne malware that steals credentials, according to researchers' report:

PyVil RAT possesses different functionalities, and enables the attackers to exfiltrate data, perform keylogging and the taking of screenshots, and the deployment of more tools such as LaZagne in order to steal credentials.

Highly targeted operations instead of widespread phishing attacks

The hacker group known as Evilnum managed to tweak their infection chain besides relying on the Python-based malware. Such targeted attacks aim to gather information, capture keystrokes, and open an SSH shell to deploy other tools. The group was first spotted back in 2018, and Evilnum has changed many things about their behavior and attack tendencies, methods.^[4]

In recent weeks we observed a significant change in the infection procedure of the group, moving away from the JavaScript backdoor capabilities, instead utilizing it as a first stage dropper for new tools down the line. During the infection stage, Evilnum utilized modified versions of legitimate executables in an attempt to stay stealthy and remain undetected by security tools.

Hackers used different components written in Javascript and relied on some malware-as-a-service providers to achieve their goals of getting valuable data from companies in various industries.^[5] These recent operations appear to be highly-targeted and focused on fintech industries, instead of the common phishing campaigns that are widespread.

PyVil RAT can download new modules to expand the functionality

Since 2018, that this group started its active operations, the attackers continued to focus on valuable data and malware campaigns targeting companies, but the recent findings show that backdoor malware and other methods differ from attack to attack. The hacker group included new tricks in their operations, as researchers report. These new tactics include:

• a modified version of the legitimate executables;
• infection chain changes;
• the new version of a Python-based RAT malware.

The infection procedures have shifted significantly because attacks changed the common JavaScript-based trojans to bare-boned JavaScriot dropper that injects malicious payloads hidden in modified versions of legitimate executables. This is how detection can be evaded.

Also, this new PyVil RAT as layers, so payload decompilation is avoided. It can collect information about USB devices, antivirus products installed, and browser versions used. There are possibilities to download other Python scripts to get additional functionalities. The remote access trojan can run various commands directly on the machine besides exfiltrating data and dropping executables or opening SSH shell. These changes and innovative tactics show that in the future Evilnum group might expand its arsenal and continue to grow.