Palo Alto’s Unit42 research team has recently found hacking group AridViper (aka APT-C-23) dropping a new malware to target victims in the Middle Eastern region. This was discovered while investigating AridViper’s Micropsia malware.
What do we know?
The newly developed Python-based malware—called PyMicropsia—has several information-stealing and control capabilities such as keylogging, downloading and executing payloads, stealing browser credentials, clearing browsing history and profiles, rebooting machines, collecting Outlook processes, and many more.
The trojan contains both built-in Python libraries and specific packages including PyAudio and mss for multiple purposes including information-stealing, interacting with Windows processes, networking, file system, Windows registry, and so on.
The malware is likely under active development as several of its code sections were found unused, indicating that it is.
Insights from the code
Its code variables contained references to multiple famous Hollywood actor names, including Fran Drescher and Keanu Reeves.
Its code snippets also check for other operating systems such as Posix or Darwin.
Besides code overlap, PyMicropsia and Micropsia share similar C2 communication URI path structures, and similar TTPs, as per the report.
AridViper’s recent activity
In September, AridViper hacking group was found using an Android spyware variant called Android/SpyC32.A to snoop on WhatsApp and Telegram users.
In September, the Cybereason Nocturnus team noted that the Evilnum group was using Python-scripted Remote Access Trojan (RAT), dubbed PyVil RAT to target different companies across the UK and EU.
The bottom line
Several attack groups today depend on Python-based malware in their cyberattacks. The AridViper group is amplifying its hacking arsenal. The use of Python-based malware and under development code snippets could provide them with improved persistence capabilities. The addition of the new Posix and Darwin OS could make it a serious threat.