Palo Alto Networks’ Unit 42 research team described AridViper as “an active threat group that continues developing new tools as part of their arsenal.”it shows multiple overlaps with other existing AridViper tools, such as MICROPSIA.
PyMICROPSIA malware include file uploading, payload downloading and execution, browser-credential stealing, taking screenshots, and keylogging. It can also collect file listing information, delete files, reboot machines, collect data from USB drives, record audio, harvest Outlook.OST files, and kill or disable Outlook processes.
AridViper built the malware is built with Python and made it into a Windows executable using PyInstaller. It implements its main functionality by running a loop where it initializes different threads and calls several tasks periodically with the intent of collecting information and interacting with the C2 operator.
“The usage of Python built-in libraries is expected for multiple purposes, such as interacting with Windows processes, Windows registry, networking, file system and so on,” said researchers.
Researchers also found the malware has a “Keanu Reeves” module and another called “Fran Drescher.” It also contains numerous references to Disney movies and TV series, such as The Big Bang Theory and Game of Thrones, in its code.
Though AridViper designed PyMICROPSIA to target Windows operating systems, researchers said the code contains snippets checking for other operating systems, such as “posix” or “darwin.”
Capabilities getting more sophisticated that one should be aware of all foreign agents and intruders and handle it cautiously. More and more features are breen added which makes so difficult to cut short these activities.