Researchers discovered a new Python-based RAT dubbed PyXie that has been used in campaigns targeting a wide range of industries.
Experts at BlackBerry Cylance have spotted a new Python-based remote access Trojan (RAT) that has been used in campaigns targeting a wide range of industries.
PyXie has been first observed in the wild in 2018, but it was underestimated by cybersecurity firms.
“PyXie has been deployed in an ongoing campaign that targets a wide range of industries. It has been seen in conjunction with Cobalt Strike beacons as well as a downloader that has similarities to the Shifu banking Trojan.” reads the analysis published by Cylance. “Analysts have observed evidence of the threat actors attempting to deliver ransomware to the healthcare and education industries with PyXie.”
PyXie has been observed in conjunction with Cobalt Strike beacons and a downloader that shows some similarities with the Shifu banking Trojan.
The threat actors behind PyXie were observed attempting to deliver ransomware to the healthcare and education industries with this new RAT.
Attackers used legitimate LogMeIn and Google binaries to sideload payloads in the first stage of the attack chain, then a second stage malware gathers information on the victim machine, gain persistence
As part of the PyXie attacks, legitimate LogMeIn and Google binaries were used to sideload the first stage DLL, which then locates its encrypted payload. The second stage installs itself, fingerprints the victim machine, achieves persistence, and spawns a new process to inject the third stage payload.
The malware creates two mutexes to prevent multiple payload instances from running at the same time.
“If the process infected with the second stage payload is running with administrator privileges, the malware will attempt to escalate its own privileges.” continues the analysis. “It does so by creating and starting a temporary service, thus respawning and running as a LOCAL SYSTEM process. To remain stealthy, the malware deletes the temporary service from the Service Control Manager.”
The third stage payload is a downloader dubbed Cobalt Mode, share similarities to the Shifu banking Trojan. Upon execution, it connects to a command and control (C&C) server, fetches an encrypted payload and decrypts it, maps and executes the payload in the address space of the current process, and then spawns a new process for code injection.
Cobalt Mode also checks whether it runs in a sandbox or virtualized environment. It also checks if a smart card reader is attached to the infected machine, and if a man-in-the-middle (MitM) attack is performed to intercept requests.
The last stage of the attack chain it the PyXie RAT that supports the following features:
MITM interception;
Web-injects;
Keylogging;
Credential harvesting;
Network scanning;
Cookie theft;
Log clearing;
Video recording;
Payload execution;
USB drive monitoring and data exfiltration;
Certificate theft;
Software inventorying.
PyXie RAT functionality also includes a WebDav server, Socks5 proxy, and Virtual Network Connection (VNC), along with the ability to enumerate domains using Sharphound.
The communication with C2 is implemented via HTTP/HTTPS, a backup mechanism uses comments left in GitHub Gists.
The malware is able to download and execute files, update itself, retrieve specific data, perform scans, retrieve screenshots, reboot the system, clear cookies, and uninstall itself from the infected system.
Experts observed the RAT being deployed in conjunction with Cobalt Strike and using as a loader a Trojanized open source Tetris game.
Technical details about the malware, including the Indicators of Compromise (IOCs) are available in the report published by Cylance.
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.