Dubbed PyVil, the new remote access trojan goes after passwords, documents, browser cookies, and email credentials, says Cybereason.
A new remote access trojan (RAT) is aiming at financial technology companies in the UK and European Union to capture sensitive information through keylogging and screen captures. Described in a Thursday blog post from cybersecurity firm Cybereason, the RAT named PyVil comes courtesy of the Evilnum APT (Advanced Persistent Threat) group. But this one has a few new tricks up its sleeve compared with previous trojans deployed by the group.
SEE: Security Awareness and Training policy (TechRepublic Premium)
In its blog post, “No Rest for the Wicked: Evilnum Unleashes PyVil RAT,” Cybereason points to Evilnum as an operation whose malware attacks and phishing campaigns are highly targeted. The group typically sets its sights on financial technology (FinTech) companies, and mostly those located in the UK and EU.
To deploy its malware, Evilnum exploits documents for Know Your Customer regulations (KYC), which contain information provided by clients conducting business with various providers. Such documents are often used by banks and financial companies to verify the identity of their clients, which seems to tie in with Evilnum’s focus on the FinTech sector.
Evilnum’s attacks usually kick off with spear phishing emails that deliver ZIP archives with LNK files pretending to be photos of driver licenses, credit cards, utility bills, and other sensitive records. These documents are typically stolen and belong to real people.
A progression from its past efforts, Evilnum’s latest creation is PyVil, a Python-scripted RAT used to obtain passwords, documents, browser cookies, and email credentials on infected devices. PyVil differs from previous trojans from the group in a few ways, according to Cybereason.
SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
“This innovation in tactics and tools is what allowed the group to stay under the radar, and we expect to see more in the future as the Evilnum group’s arsenal continues to grow,” Cybereason said.
What can organizations and individuals do to protect themselves against these types of RAT attacks?
“Enterprises are in a cat-and-mouse game with cyber adversaries, and getting ahead of them takes resiliency and around-the-clock network-threat hunting and monitoring services,” Tom Fakterman, threat researcher for Cybereason, told TechRepublic. “Improving security hygiene will give enterprises a broader and deeper scan of their networks, enabling them to root out malicious behavior faster. For employees, I would recommend they not open attachments in emails from unknown sources and don’t download files and content from dubious sources. The same holds true for all devices, including PCs, Macs, laptops and all mobile devices.”