Friday, September 18, 2020

Social Links

Share This

RAT trojan attacks UK and EU FinTechs

The Evilnum APT has added the ‘RAT’ to its arsenal of cyber tools.

This group, which specialises in targeting financial technology companies, has launched a new weapon – a Python-based remote access trojan (RAT), named PyVil. The malware’s emergence links to a change in the chain of infection & an expansion of APT infrastructure.

PyVil RAT

Says researchers at Cybereason, PyVil RAT lets the attackers ex-filtrate data, perform key-logging & take screenshots, & can use secondary credential-harvesting tools e.g. LaZagne (an open source application used to retrieve passwords stored on a local computer).

Evilnum 1st appeared during 2018 using JavaScript malware, & since, it has developed various components written in JavaScript & C# (such as Cardinal RAT).

It’s also been making use of malware-as-a-service offerings from an underground provider known as Golden Chickens, according to an analysis published Thur. (these tools include More eggs, ‘Terra Preter’, ‘Terra Stealer’ & ‘Terra TV’).

Spear-phishing E-mails

The latest campaigns observed by Cybereason that use PyVil RAT are widespread, yet targeted, taking aim at FinTech companies across the UK and EU. The attack tool is spear-phishing emails, which use the Know Your Customer regulations (KYC) as a lure.

“It’s ironic that threat actors would be involved in such a campaign that abuses the ‘Know Your Customer’ regulations, the process by which companies’ vet new customers & partners,” Tom Fakterman, Threat Researcher at Cybereason, explained in an interview.

Know Your Customer

“The Know Your Customer process works in the manner that allows 2 companies to share proprietary info about each other during the vetting process to ensure neither party is involved in corruption, bribery, money laundering, etc.

So, in effect, the threat actors are preying on the FinTech companies by sending fraudulent information & documents that look real.”

New RAT Sets Up Nest

PyVil RAT was compiled with py2exe, which is a Python extension which converts Python scripts into Microsoft Windows executables. This gives the RAT the capacity to download new modules to expand functionality.

“The Python code inside the py2exe is obfuscated with extra layers, in order to prevent decompilation of the payload using existing tools,” according to the research. “Using a memory dump, we were able to extract the 1st layer of Python code.

The 1st piece of code decodes & decompresses the 2nd layer of Python code. The 2nd layer of Python code decodes & loads to memory the main RAT & the imported libraries.”

Configuration Module

PyVil RAT also has a configuration module that holds the malware’s version, command-&-control (C2) domains and instructions for which browser to use when communicating with the C2. The C2 communications are via POST HTTP requests & are RC4 encrypted using a hardcoded key encoded with Base64, according to analysis.

Cybereason found that PyVil RAT has a host of functionality commands, including: ‘Act as a keylogger’; ‘run CMD commands’; ‘take screenshots’; ‘drop & upload other Python scripts & executables’; ‘open an SSH shell’; & ‘collect information’ such as the antivirus products installed on the machine, Chrome version & which USB devices are connected.

During Cybereason’s analysis, PyVil RAT also received from the C2 a custom version of LaZagne, which the Evilnum group has used before.

C2 infrastructure

Evilnum’s C2 infrastructure is growing & expanding as well.

“While the C2 IP address changes every few weeks, the list of domains associated with this IP address keeps growing,” the researchers outlined. “A few weeks ago, 3 domains associated with the malware were resolved to the same IP address. Shortly thereafter, the C2 IP address of all 3 domains changed.

In addition, 3 new domains were registered with the same IP address & were used by the malware. A few weeks later, this change recurred. The resolution address of all domains changed in the span of a few days, with the addition of 3 new domains.”

Infection Routine

Evilnum has launched other new nasty tricks in parallel with rolling out PyVil RAT, the researchers noted. For example, the infection chain has changed to include a multi-process delivery routine for the payload, & this is opposed to relying on a 1st-stage JavaScript Trojan with backdoor capabilities to establish an initial foothold on the target.

The group is using modified versions of legitimate executables in an attempt to remain undetected by security tools, he further observed.

Advertisement

Evilnum

Evilnum has always hitherto relied on spear-phishing emails containing ZIP archives housing 4 LNK files, according to the analysis. The LNK files masquerade as photos of drivers’ licenses, credit cards & utility bills; but when a target clicks on it, the Evilnum JavaScript trojan is launched, which connects to the C2, & sets about its espionage work.

“Up to this date, as described in this publication, 6 different iterations of the JavaScript trojan have been observed in the wild, each with small changes that don’t alter the core functionality,” the researchers observed.

“The JavaScript agent has functionalities such as upload & download files, steal cookies, collect antivirus information, execute commands and more.”

Multi-Stage

The new routine is multi-stage & complex. It starts by including just 1 LNK file in the ZIP archive attached to an email. When the LNK file is executed, a different JavaScript file is called, which acts only as a 1st-stage dropper, with no C2 capabilities (the file name is ddpp.exe).

“The ddpp.exe executable appears to be a version of Oracle’s legitimate Java Web Start Launcher, modified to execute malicious code,” says Cybereason.

“When comparing the malware executable with the original Oracle executable, we can see the similar metadata between the files. The major difference at 1st sight is that the original Oracle executable is signed, while the malware is not.”

Dolby

The dropper creates a scheduled task named “Dolby Selector Task,” which begins a 2nd stage of retrieving the payload by unpacking shellcode. This shellcode connects to the C2 using a GET request, & receives back another encrypted executable, which is saved to disk as “fplayer.exe.”

“fplayer.exe appears to be a modified version of [Nvidia’s legitimate] Stereoscopic 3D driver Installer,” the analysis detailed. “In here as well, we can see the similar metadata between the files with the difference being that the original Nvidia executable is signed, while the malware is not.”

When executed, fplayer.exe file unpacks more shellcode, which forms its own C2 connection & downloads yet another payload – the final piece of code. This is decrypted, then loaded to memory & serves as a fileless RAT: a.k.a., PyVil.

Advertisement

Nocturnus Research

“EvilNum knows what they are doing, as they regularly change their TTPs to avoid detection,” Fakterman explained. “In the case of the Nocturnus research, EvilNum is using several new tricks as we discovered a significant deviation from the infection chain, persistence, infrastructure & previously observed tools.

We expect EvilNum to continue to grow its arsenal of tools in the future with more innovative tactics & tools to allow them to stay under the radar.”

Precautions

To protect themselves, businesses should take some basic precautions when it comes to email security, Fakterman noted.

“Time & time again threat actors revert to the time-tested infection method of phishing emails,” he commented.

“Enterprises need to constantly evolve their stack of security tools to more easily root out the stealth tactics being deployed. The employees of enterprises shouldn’t be opening email attachments from unknown sources and should avoid downloading information from dubious websites.”

More Stories

Sep.06

Economics Europe

Global Institutional Investors Are Rushing to Bitcoin in Droves

For some time now, people within the crypto space have been stating that institutional investors are rushing into the crypto arena and looking to trade digital assets.

Sep.06

Cyber Europe

RAT trojan attacks UK and EU FinTechs

The Evilnum APT has added the ‘RAT’ to its arsenal of cyber tools.

Sep.04

Telecomms Europe

France will invest €250m in broadband to aid Covid recovery

Prime Minister Jean Castex described the plan as having "historic ambition and scope," adding, "In proportion to the national wealth, it is the most massive recovery plan announced to date...

Sep.04

Telecomms Europe

TIM announces new European record for 5G at over 4Gbps

TIM is claiming leadership in "5G innovation" after running the first connection in Europe that can permanently exceed a downlink speed of 4 Gbps on a 5G live network with...

Sep.04

Telecomms Europe

Telefónica Spain 5G is here, promises service to 75% of population this year

The announcement was made by Álvarez-Pallete, who stressed that “the launch of our 5G network constitutes a leap forward towards the hyperconnectivity that will change the future of Spain”.

Sep.04

Cyber Europe

Research Technology Officer Vacancy Berlin Germany

The Max Planck Institute for the History of Science (MPIWG) is seeking a

Sep.03

Automotive Europe

Swedish e-scooter brand Voi to lead UK transport trial

Swedish e-scooter brand Voi has been chosen to run a trial of the transport mode across the West Midlands with the promise of creating 120 new jobs.

Sep.03

Automotive Europe

Nissan hails breakthrough in carbon fibre materials for mass car production

Automotive giant Nissan has developed a way of incorporating a material used into airplanes, rockets and sports into mass-market vehicles to improve their performance.

Sep.03

Economics Europe

Earn a Second Income on eToro

The social trading platform eToro has now made it possible to earn a second income with their ever Popular Investor program.

Sep.02

Cyber Europe

Cryptomining trojan malware found by by ESET

A previously unknown trojan malware that spreads through malicious torrents has been uncovered by an ESET cybersecurity team, dubbed KryptoCibule by the researchers.

Aug.03

Cyber Europe

EU’s First Cyber-Warfare Sanctions Target Biggest Threats

The UK has said it welcomes cyber-crime sanctions imposed by the EU on individuals and organisations in Russia, China and North Korea.

Jul.30

Telecomms Europe

Telefónica say there will be 100% fibre coverage in Spain by 2025

The Digital Deal will see Telefónica “make the greatest effort to promote the complete digitalisation of Spain: it is committed to ensuring that by 2025 fibre optics will cover one...

Jul.06

Economics Europe

Deutsche Bank agrees to multi-year Google Cloud deal to accelerate move off-premise

Deutsche Bank has formed a multi-year technology alliance with Google Cloud that will see the pair work on migrating more of the firm’s legacy systems to the cloud, while creating...

Jul.03

Economics Europe

Europe's economies may recover faster than the US

Economists today said Europe may recover faster from the Covid crisis from the US, in a reversal of the fallout from the 2008 financial crisis.

Jul.02

Cyber Europe

Euro police forces infiltrated encrypted phone biz criminals and EncroChat users

French and Dutch police have boasted of infiltrating and killing off encrypted chat service EncroChat, alleging it was used by organised crime gangs to plot murders, sell drugs, launder criminal...

Jul.01

Telecomms Europe

Germany's Vodafone and univerisity hospital build Europe's first 5G clinic

It will use Vodafone’s recently launched RedBox, Vodafone, described as a 5g network in a box, which is the core of the operator’s private enterprise offering for campus networks.

Jun.29

Cyber Europe

European Commission’s proposal highlights European money laundering

Last month, the European Commission proposed a new set of guidelines to fight money laundering in Europe, including the creation of a new authority to police financial crime.

Jun.22

Economics Europe

German recruitment market struggling

As COVID-19 continues to impact how businesses operate, German recruitment firms have seen a further reduction in recruitment activity, although the extreme falls seen at the beginning of the crisis...

Jun.09

Economics Europe

Binance 2020 Review

Even if you don't know much about Cryptocurrency trading, there’s a good chance that you’ve heard of Binance.

Top Tech Europe

Cyber Europe

EU’s First Cyber-Warfare Sanctions Target Biggest Threats

The UK has said it welcomes cyber-crime sanctions imposed by the EU on individuals and organisations in Russia, China and North Korea.

By Site Owner - Aug.03

Cyber Europe

RAT trojan attacks UK and EU FinTechs

The Evilnum APT has added the ‘RAT’ to its arsenal of cyber tools.

By Site Owner - Sep.06

Economics Europe

Earn a Second Income on eToro

The social trading platform eToro has now made it possible to earn a second income with their ever Popular Investor program.

By Site Owner - Sep.03

Automotive Europe

Nissan hails breakthrough in carbon fibre materials for mass car production

Automotive giant Nissan has developed a way of incorporating a material used into airplanes, rockets and sports into mass-market vehicles to improve their performance.

By Site Owner - Sep.03

Log in or Sign up