fbpx
perm_phone_msgConsider your business risks? Chat With US

New Python-scripted trojan malware targets fintech companies | ZDNet

Ransomware BCyber todaySeptember 12, 2020 6

Background
share close
Trojan malware: The hidden but deadly threat to your network

A well-resourced hacking operation has deployed newly-developed trojan malware in a campaign targeting financial tech organisations with the aim of stealing email addresses, passwords and other sensitive corporate information – and the malicious code is bundled inside code ripped from legitimate applications.

Known as Evilnum, the advanced persistent threat (APT) group first emerged in 2018 and one of the reasons for their success is how often they’ve changed tools and tactics as they take aim at targets related to Fintech mostly located in Europe and the UK, although some victims are located in the Americas and Australia.

Evilnum’s activity has been varied, with reports of it using different components written in Javascript and C#, and now it has deployed another new tool for attacks. This time, it’s a Python-scripted remote access trojan (RAT) which emerged in recent weeks alongside a new spate of targeted attacks.

Uncovered by cybersecurity researchers at Cybereason who’ve dubbed it PyVil RAT, the trojan allows attackers to secretly steal corporate information through the use of keylogging and taking screenshots, as well as the ability to collect information about the infected system, including which version of Windows is running, what anti-virus products are installed and whether USB devices are connected.

Previous Evilnum attacks have begun with highly targeted spear phishing emails and the PyVil delivery campaign is similar, although rather than delivering Zip archives like before, the compromise begins with emails containing an LNK file masquerading as a PDF.

The phishing emails claim to contain identification documents associated with banking, including utility bills, credit card statements and even drivers license photos.

SEE:  (ZDNet special report) |  (TechRepublic)  

If opened, the file will start a sequence which ultimate sees the compromised machine connected to Evilnum’s command and control servers and the trojan malware dropped on the system – and able to to provide instructions and potential additional functionality to PyVil – all while staying hidden from the victim.

One of the reasons the new trojan is able to do this is because the malicious code is obfuscated behind many different layers, including being bundled inside code from legitimate software which has somehow been plucked and wrapped around the malware.

“This tactic works to their advantage in several ways, including avoiding detection and maintaining persistence – the abuse of legitimate code is more common with more sophisticated actors,” Tom Fakterman, threat researcher at Cybereason told ZDNet.

While it remains unclear who the cyber criminals behind Evilnum ultimately are, the highly targeted nature of the attacks combined with the way in which they’re constantly changing their tactics leads researchers to believe that it’s a highly professional, well-resourced campaign.

Evilnum is thought to remain active and it’s likely only a matter of time before the group changes it’s tools and techniques for targeting organisations in the Fintech space once more.

“We still see samples of the malware pop up and we see that the threat actors infrastructure is still active. The best way of protection is education, improving security hygiene and teaching employees not to be duped into opening phishing emails and not downloading information from dubious websites,” Fakterman said.

This content was originally published here.

Written by: BCyber

Rate it
Previous post

Similar posts

Ransomware BCyber / October 19, 2020

Ad-light, Malware-heavy # Chris Dzombak

Ad-light, Malware-heavy Since December 17, Forbes has been running an experiment wherein some fraction of visitors who are running ad blockers are blocked from accessing Forbes articles until they disable their ad blocker. In exchange, Forbes promises an “ad-light experience”: A Forbes article published yesterday claims that this interstitial resulted in 42.4% of visitors turning ...

Read more trending_flat