The “Evilnum” group of actors has been pretty active during the past two years, and it appears that they are now going through major shifts in their toolset.
Evilnum is interested in banks and financial organizations in general, which hasn’t changed. The group’s main goal is to spy its targets and try to exfiltrate sensitive data like VPN passwords, browser cookies, email credentials, and classified documents.
The new payload is the PyVil RAT written in Python, which is obfuscated with extra layers to make its decompilation
The Nocturnus researchers used memory dumps to do it anyway, so they report the following functionality in the PyVil’s code:
- Running cmd commands
- Taking screenshots
- Downloading more Python scripts for additional functionality
- Dropping and uploading executables
- Opening an SSH shell
- Collecting information such as what Anti-virus products are installed, which USB devices connected, or the Chrome version
When the RAT needs to phone back home to the C2, it does so via POST HTTP requests that feature RC4 encryption applied thanks to a hardcoded base64 key. In several recorded cases, PyVil RAT received a new Python module from the C2, which was basically a custom version of the LaZagne credential stealer.
Finally, the infrastructure that supports the Evilnum operations seems to have grown significantly over the past couple of weeks, and so has the number of domain IP addresses associated with the group. This is indicative of the group’s goal to continue its malicious operations and actually up their game by deploying new tools and making sure that they are still able to remain undetected.