skip to Main Content

Cybercrime, Evilnum is spreading a new RAT: PyVil

Cybereason: Evilnum is spreading a new RAT: PyVil. The malware, written in Python, has different functionalities, and enables the attackers to exfiltrate data, perform keylogging and the taking of screenshots, and the deployment of more tools in order to steal credentials

It has been dubbed PyVil, and is a new RAT spread by the cybercrime group Evilnum. It has been discovered by Cybereason cyber security experts. The malware, written in Python, possesses different functionalities, and enables the attackers to exfiltrate data, perform keylogging and the taking of screenshots, and the deployment of more tools such as LaZagne in order to steal credentials. Furthermore, the criminal hackers changed the infection chain. In the past, they started with spear phishing emails, delivering zip archives that contain LNK files masquerading as images. These LNK files will drop a JavaScript Trojan with different backdoor capabilities. In recent weeks, the four different LNK files in a zip archive have been replaced by a single JPG file archived. This LNK file masquerades as a PDF whose content includes several documents, such as utility bills, credit card photos, and Drivers license photos.

The cyber security experts: Cybercrime gang exploits also a new infrastructure

Moreover, in previous campaigns of the group, Evilnum’s tools avoided using domains in communications with the C2, only using IP addresses. In recent weeks, cyber security experts encountered an interesting trend with the cybercrime gang’s growing infrastructure. By tracking Evilnum’s new infrastructure that the group has built recently, a trend of expansion can be seen. While the C2 IP address changes every few weeks, the list of domains associated with this IP address keeps growing. A few weeks ago, three domains associated with the malware were resolved to the same IP address. Shortly thereafter, the C2 IP address of all three domains changed. In addition, three new domains were registered with the same IP address and were used by the malware. A few weeks later, this change occurred again. The resolution address of all domains changed in the span of a few days, with the addition of three new domains.

Back To Top