PyVil Remote Access Trojan

First seen in mid-2020, PyVil is a new Python-based modular trojan created by the Evilnum APT group for use in attacks against financial technology businesses and their customers throughout Western Europe, including in the UK.

Threat ID:: CC-3618
Category:: Trojan
Threat Severity:: Medium
Threat Vector:: Spear phishing
Published:: 10 September 2020 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Affected platforms

The following platforms are known to be affected:

Versions: all supported

Microsoft Windows

Threat details

Introduction

PyVil, or PyVILRAT, is a newly observed modular and fileless remote access trojan (RAT) created by the Evilnum advanced persistent threat group for their own use.

Written in Python, it is intended primarily for use against financial technology organisations and has been observed in campaigns across the UK and EU.

Delivery

Evilnum appear to be using a simplified infection chain to deliver PyVil compared to their older tools. Initial delivery is via spear-phishing emails containing an archived PDF file. This PDF is in fact a trojanised LNK file which, when opened, executes a preliminary JavaScript file before replacing itself with a non-malicious PDF.

The JavaScript file then creates a scheduled task to download an initial EXE file, which then collects a list of installed anti-virus products before downloading a secondary EXE file and passing this list to it. The secondary EXE then downloads the final encrypted payload containing PyVil, before decrypting and loading it directly into memory.

Activities

Once installed, PyVil will connect to a command and control server using HTTP POST requests, with all communications encrypted using RC4. It will then send user and system information before awaiting further commands. By default, PyVil has the ability to:

record screenshots and keystrokes
download and execute secondary payloads or Python scripts
open SSH shells
execute command-line arguments.

PyVil also uses a separate Python payload containing a custom LaZagne module to locate and extract user credentials from a wide variety of services.

Remediation advice

To prevent and detect an infection, NHS Digital advises that:

Secure configurations are applied to all devices.
Security updates are applied at the earliest opportunity.
Tamper protection settings in security products are enabled where available.
Obsolete platforms are segregated from the rest of the network.
IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
Administrative accounts are only used for necessary purposes.
Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that the NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Indicators of compromise

Network indicators

IP addresses

176.107.188[.]175
185.236.230[.]25
193.56.28[.]201
5.206.227[.]81

Domains

corpxtech[.]com
crm-domain[.]net
extrasectr[.]com
fxmt4x[.]com
leads-management[.]net
quotingtrx[.]com
telecomwl[.]com
telefx[.]net
trquotesys[.]com
veritechx[.]com
voipasst[.]com
voipreq12[.]com
voipssupport[.]com
vvxtech[.]net
xlmfx[.]com

Host indicators

SHA256 hashes

048388c04738763c0ec57124e3a88fc82a545639636fb5ed6cd397881dd6ced9
062ed9f40ca330f0fed63cbdd401521deb23f93b5527038fc88f70ed9acadf39
0b95c8c70d2dad47baef15d0299cd7e273e8a59ae0420921632b21789a80aef0
0c920e7dfdd0028d9d15344c2e9c64ae57c2c9417dc7b22b865fdfe0cc0b8b1f
0d7dc074be83f1096f39ba95bfc4e1a17c411dbed0e5eeeb48e88a12d79b541c
11d9a87b144c0eaf71e8dea1b08117d464ed7f24a6e716e935e0c7f3a7e03edc
130e0536cdb4e9f7cfb273dbabc9ee196a51d1217cd4b981847af6314f46b052
1a3f39dc604dbca691aefeaf1d5a372fbca3650003d4145671525a2960e1239e
1aa9ecb83acbebc64b23f7192e763cf4bd278f10df2223512087b87230e411b4
25c119a7ee5b53212b5992992907a7772610b491ce2992c860dc206d0f3f844d
3b7cd07e87902deae4b482e987dea9e25a93a55ec783884e8b466dc55c346bce
3f3738e4606ea85a382319269405ee72a928a8a761273914c52342b116cbddfc
4574239efb728913fd379cc914039b1d7fa8c3ac8d6e3503d6f5bc73de504c96
4ce0954ca7173bd696afe8f44bf48027b3d4d630c0cce414b95d6715e662b5fb
4e396586fd6dfcc24686aae73ba5c336939ee7a7aa9ffb76a1f78867926c6e4b
568ec03a27740f8babc3513948a44ce1a2944d05f3d454ce345e67a0634a4a73
5aa1109d057e830d6f3faf4b6ff6f69075d158dadb5f46794b3e07685922d09d
6136309a207b89ccd423f8c087a9cdd633d8f5e78b8ebd576b7750b49274c532
63a4b6ef72e0a3a0886364a5ebcc0009c6da8c27d93cf9d6c8107b6f025fed34
79b032dbb8ade21b97be5dcaa63c974b6cdbb3c6f32b4abf2872288ae43ea4a6
79e21ff9142821b2e3d6e3dc8d812e86da231dbbd1217415b4add748a4c1ce3c
79e21ff9142821b2e3d6e3dc8d812e86da231dbbd1217415b4add748a4c1ce3c
83c375dcdadb8467955f5e124cf4e8d6eac78c51c03fb7393dc810a243ba1a90
8dfb2f5c74f38ffb39bfc17bf6a62d5822c458215619c1b2ec2eb345f21d1265
9dfb040dab1fd05fbccf69ff3461295815edc463a61a6304af18a72f82bce534
a787ecc380021b3b7115c97242ba06706a0a1e41efe1b734552d74384bae22ec
a81f152a31c03b45dbcf29439050bbe080b1f6308b032aebc0205886d1f41e5d
bdc20527d5afc4f13fa45c9182c8f58eb88cb4edc76aa38be83d95fd3365ce0a
c4b90fdec0848ad68abe18a42889ec0e5e45b7678afbf0353fedf53915b76275
c7cf5c62ecfade27338acb2cc91a06c2615dbb97711f2558a9379ee8a5306720
cff5ed4de201256678c7c068c1dbda5c47f4b322b618981693b1fd07a0ea7e68
d6343a07357e5443d6a59f10e16a06796c46bec3cbe5968ac04b0f082d6fcecf
db5d09edc2e9676a41f26f5f4310df9d13abdae8011b1d37af7139008362d5f1
e678ec3dbccfbd5cf0f303d2841e726ac7628044de5297bf9ebe791d66270a2f
f388a2ebbb6a7e577e8aa6205e87d5b2975e7c08464123cc36e8e3d437e9a523
f5f79e2169db3bbe7b7ae3ff4a0f40659d11051e69ee784f5469659a708e829e

Last edited: 17 September 2020 2:25 pm