Several threat actors have been prying on fintech companies by sending fraudulent information and documents to infect victims' systems.

What happened recently?

A Python-based remote access trojan (RAT), dubbed PyVil, has emerged as a change in the infection chain and an expansion of the infrastructure used by the Evilnum APT group.
  • As part of a change in its TTPs, Evilnum has added the PyVil RAT to its arsenal to exfiltrate data, perform keylogging, and take screenshots.
  • The APT group used the Know Your Customer (KYC) regulations as a lure in the spear-phishing emails targeted at fintec companies across the U.K. and EU.

A new RAT sets up its burrow

  • PyVil RAT is basically a Python extension that helps convert Python scripts into Microsoft Windows executables, adding its capability to download new modules to expand functionality.
  • Additionally, the RAT’s functionalities include acting as a keylogger, taking screenshots, dropping and uploading Python scripts, collecting antivirus information and browser versions installed on the machine, among others.
  • The group uses tools such as More_eggs, TerraPreter, TerraStealer, credential-harvesting tool LaZagne, and TerraTV, along with other malware-as-a-service offerings from an underground provider known as Golden Chickens.

Last seen

In July 2020, the Evilnum group launched spear-phishing attacks to obtain financial information from both the targeted companies and their customers in EU countries, the UK, Australia, and Canada.

In essence

The Evilnum APT group has managed to develop its expertise in using legitimate executables during the infection stage in an attempt to stay stealthy and remain undetected by security tools. The addition of such new tools enables the Evilnum group to infect more targets and it is expected to continue its expansion spree in the near future as well.

Cyware Publisher