Evilnum ATP hacker group change tactics and targets financial firms with new Python-based malware
The Advanced Persistent Threat group named Evilnum used Python remote access trojan in attacks on financial tech organizations. Spear-phishing attack allowed hackers to hide in the Windows system as several legitimate programs, so the RAT could work as it was designed for and exfiltrate data, run various commands. Targets were mainly UK and Europe fintech firms.
The remote access trojan that was employed, is written in Python programming language, and its functions include keylogging, making screenshots of the materials in infected devices, and directly exfiltrating data. The code also includes a particular function allowing the trojan to use tools like LaZagne malware that steals credentials, according to researchers' report:
PyVil RAT possesses different functionalities, and enables the attackers to exfiltrate data, perform keylogging and the taking of screenshots, and the deployment of more tools such as LaZagne in order to steal credentials.
Highly targeted operations instead of widespread phishing attacks
The hacker group known as Evilnum managed to tweak their infection chain besides relying on the Python-based malware. Such targeted attacks aim to gather information, capture keystrokes, and open an SSH shell to deploy other tools. The group was first spotted back in 2018, and Evilnum has changed many things about their behavior and attack tendencies, methods.
PyVil RAT can download new modules to expand the functionality
Since 2018, that this group started its active operations, the attackers continued to focus on valuable data and malware campaigns targeting companies, but the recent findings show that backdoor malware and other methods differ from attack to attack. The hacker group included new tricks in their operations, as researchers report. These new tactics include:
- a modified version of the legitimate executables;
- infection chain changes;
- the new version of a Python-based RAT malware.
Also, this new PyVil RAT as layers, so payload decompilation is avoided. It can collect information about USB devices, antivirus products installed, and browser versions used. There are possibilities to download other Python scripts to get additional functionalities. The remote access trojan can run various commands directly on the machine besides exfiltrating data and dropping executables or opening SSH shell. These changes and innovative tactics show that in the future Evilnum group might expand its arsenal and continue to grow.