Evilnum hackers targeting financial firms with a new Python-based RAT

An adversary recognised for focusing on the fintech sector at the very least considering that 2018 has switched up its ways to involve a new Python-dependent remote accessibility Trojan (RAT) that can steal passwords, documents, browser cookies, email credentials, and other sensitive details.

In an investigation posted by Cybereason researchers yesterday, the Evilnum group has not only tweaked its infection chain but has also deployed a Python RAT known as “PyVil RAT,” which possesses capabilities to get info, get screenshots, seize keystrokes data, open up an SSH shell and deploy new equipment.

“Considering the fact that the first stories in 2018 as a result of nowadays, the group’s TTPs have advanced with diverse resources although the group has continued to aim on fintech targets,” the cybersecurity company explained.

“These variations include things like a improve in the chain of an infection and persistence, new infrastructure that is increasing around time, and the use of a new Python-scripted Remote Entry Trojan (RAT)” to spy on its infected targets.


In excess of the final two several years, Evilnum has been joined to a number of malware strategies in opposition to providers across the United kingdom and EU involving backdoors composed in JavaScript and C# as effectively as through tools acquired from the Malware-as-a-Support company Golden Chickens.

web malware

Back in July, the APT team was identified focusing on businesses with spear-phishing e-mails that have a hyperlink to a ZIP file hosted on Google Push to steal program licenses, consumer credit rating card facts, and investments and buying and selling documents.

While the modus operandi of attaining an initial foothold in the compromised program stays the similar, the infection course of action has witnessed a significant change.

In addition to making use of spear-phishing e-mails with fake know your purchaser (KYC) documents to trick staff of the finance sector into triggering the malware, the assaults have moved away from working with JavaScript-primarily based Trojans with backdoor capabilities to a bare-bones JavaScript dropper that delivers destructive payloads hidden in modified versions of respectable executables in an attempt to escape detection.

“This JavaScript is the initially phase in this new infection chain, culminating with the shipping of the payload, a Python penned RAT compiled with py2exe that Nocturnus scientists dubbed PyVil RAT,” the researchers explained.

The multi-course of action supply course of action (“ddpp.exe”), upon execution, unpacks shellcode to establish communication with an attacker-controlled server and obtain a second encrypted executable (“fplayer.exe”) that features as the upcoming phase downloader to fetch the Python RAT.

“In previous strategies of the group, Evilnum’s resources avoided making use of domains in communications with the C2, only utilizing IP addresses,” the scientists famous. “When the C2 IP handle modifications every single couple months, the listing of domains linked with this IP handle keeps developing.”


Though Evilnum’s correct origins however remain unclear, it is obvious that their continual improvisation of TTPs has assisted them remain under the radar.

As the APT’s procedures proceed to evolve, it is really essential that corporations remain vigilant and staff monitor their e-mails for phishing attempts and work out caution when it comes to opening email messages and attachments from unidentified senders.

Fibo Quantum