ANNOUNCEMENT

Threat Alert:

PyVil RAT

ORANGE_THREAT_ALERT_CR_ICONS-54

Threat Overview

cr-icon-threat-type
Threat Type
PHISHING
Target Industries
Critical Infrastructure
FINTECH COMPANIES
cr-icon-attack-goal
Attack Goal
EXFILTRATE DATA, PERFORM KEYLOGGING & STEAL CREDENTIALS
cr-icon-impacted-geo
Impacted GEO
UK & EU

What's Happening?

Over the course of the last few months, the Cybereason Nocturnus team has been investigating the activity of the Evilnum group, first emerged in 2018. The group’s operations appear to be highly targeted, as opposed to a widespread phishing operation, targeting financial technology companies mostly located in the UK and other EU countries.

In recent weeks, new activity by the group includes several notable changes from tactics observed previously, including a change in the chain of infection and persistence, new infrastructure that is expanding over time, and the use of a new Python-scripted Remote Access Trojan (RAT) that Nocturnus dubbed PyVil RAT.

Read The Full Research

KEY OBSERVATIONS & TTPS


  • Targeting the Financial Sector: The group is known to target FinTech companies, and is abusing the usage of the Know Your Customer( KYC) procedure in order to start the infection.
  • New Tricks: In this research, we see a deviation from the infection chain, persistence, infrastructure, and tools observed previously, including:
    • Modified versions of legitimate executables employed in an attempt to remain undetected by security tools.
    • Infection chain shift from a JavaScript Trojan with backdoor capabilities to a multi-process delivery procedure of the payload.
    • A newly discovered Python-scripted RAT dubbed PyVil RAT that was compiled with py2exe, which has the capability to download new modules to expand functionality.
  • Read the full length research here.

Remediation Steps

cr-icon-remediate-disable

Consider social engineering awareness and training, which are key in preventing such attacks.

Asset 3

Change all passwords related to affected services, both browser- based and local applications.

Asset 1077

Harden remote access interfaces (RDP, SSH).

antivirus-01
Prevented & Detected by the Cybereason Defense Platform

CYBEREASON CUSTOMERS

We highly recommend every customer enable the following features:

  • The Cybereason Defense Platform was able to detect the preliminary stages of the attack and analyze and prevent the execution of the infection chain.
  • If you do not have Cybereason NGAV activated, consider doing so to prevent against threats like these.
  • For Cybereason MDR customers, the Cybereason team will monitor and triage as well as assist in the mitigation of potential infections.

Read the Full Research

SUFFERED A BREACH?
TALK TO A SPECIALIST