Evilnum APT used RAT PyVil Python tool to spy and steal data

Not too long ago, the Evilnum APT group used the Python-based RAT PyVil software to spy and steal delicate information; right here, the primary motive of the group is to spy on its victims and exfiltrate all of the VPN passwords, e mail credentials, varied paperwork, and browser cookies.

Evilnum APT Group and Its An infection Chain

This isn’t the primary time because the Evilnum APT group had additionally attacked earlier in 2018, however this time they got here up with some new concepts and methods to steal all delicate information of the victims. The Evilnum APT group principally targets victims from the UK and EU, however this time they do assault some victims from Australia and Canada.

The consultants affirmed that Evilnum had been detected utilizing assault components which can be scripted in JavaScript and C#; additionally they use varied instruments from malware-as-a-service supplier Golden Chickens.

Not solely this, however this group primarily makes use of spear-phishing emails to bypass all of the ill-disposed recordsdata as scans of service payments, bank cards, driving licenses. It additionally contains different verifying paperwork which can be wanted by know-your-customer (KYC) administration within the monetary sector.

Evilnum APT used RAT PyVil Python tool to spy and steal data

All these variations cowl a change within the chain of an infection and persistence, a brand new enterprise that’s rising over time, and the usage of a brand new Python-scripted Distant Entry Trojan (RAT) Nocturnus dubbed as PyVil RAT.

Evilnum APT used RAT PyVil Python tool to spy and steal data

Key Findings

  • Attacking the Monetary Sector
  • This time, Evilnum has include new methods and concepts.
  • Safety consultants are nonetheless investigating the group that has been actively exploiting totally different sectors.
  • Modified variations of professional executables, that stay undetected by safety instruments.
  • Consultants have found a newly Python-scripted RAT that has been dubbed PyVil RAT; it was mixed with py2exe, which has the flexibility to obtain all new modules to extend performance.
  • The contaminated chain shifts from a JavaScript Trojan with a backdoor means to a multi-process supply methodology of the payload.

PyVil: New Python RAT

The PyVil RAT permits the attackers to exfiltrate all the information, apply key-logging & take screenshots. It will possibly additionally use secondary credential-harvesting instruments like LaZagne; it’s an open-source utility that’s used to steal the passwords which can be saved on an area laptop.

Evilnum APT used RAT PyVil Python tool to spy and steal data

PyVil RAT Helps A number of Functionalities

The consultants of cybersecurity frim Cybereason Nocturnus reported that this new model of PyVil is created with a mess of capabilities and right here they’re talked about under:-

  • Keylogger
  • Operating cmd instructions
  • Taking screenshots
  • Downloading extra Python scripts for additional performance
  • Dropping and importing executables
  • Opening an SSH shell
  • Gathering all information corresponding to Anti-virus merchandise put in, USB gadgets related, and Chrome variations.

Evilnum Aattack Patterns

Evilnum has all the time relied on spear-phishing emails that embody ZIP archives housing four LNK recordsdata. That’s why its assault patterns and the brand new model is made with new concepts and methods.

Susceptible applications used

The weak applications which can be used on this assault are:-


The consultants of cybersecurity agency have recommended some mitigations which can be to be utilized by the enterprise fastidiously:-

  • The enterprise agency must evolve its stack of safety instruments constantly in order that they’ll extra simply root out the stealth methods.
  • Staff of enterprises mustn’t open e mail attachments from unknown networks.
  • The enterprise corporations mustn’t obtain any information from doubtful web sites.

Aside from this, the safety researchers are nonetheless making an attempt their finest to bypass all of the threats from Evilnum, and extra importantly, the enterprise corporations should be cautious concerning all these dangers.

You may observe us on Linkedin, Twitter, Fb for day by day Cybersecurity updates

Additionally Learn:

Lazarus APT Hackers Assault Japanese Group Utilizing Distant SMB Software “SMBMAP” After Community Intrusion

PoetRAT – New Python RAT Attacking Authorities and Power Sector Through Weaponized Phrase Paperwork

JhoneRAT – Hackers Launching New Cloud-based Python RAT to Steal Knowledge From Google Drive, Twitter & Google Varieties