New AridViper Malware Targets Outlook Users

Palo Alto’s Unit42 research team has recently found hacking group AridViper (aka APT-C-23) dropping a new malware to target victims in the Middle Eastern region. This was discovered while investigating AridViper’s Micropsia malware.

What do we know?

  • The newly developed Python-based malware—called PyMicropsia—has several information-stealing and control capabilities such as keylogging, downloading and executing payloads, stealing browser credentials, clearing browsing history and profiles, rebooting machines, collecting Outlook processes, and many more.
  • The trojan contains both built-in Python libraries and specific packages including PyAudio and mss for multiple purposes including information-stealing, interacting with Windows processes, networking, file system, Windows registry, and so on.
  • The malware is likely under active development as several of its code sections were found unused, indicating that it is.

Insights from the code

  • Its code variables contained references to multiple famous Hollywood actor names, including  Fran Drescher and Keanu Reeves.
  • Its code snippets also check for other operating systems such as Posix or Darwin.
  • Besides code overlap, PyMicropsia and Micropsia share similar C2 communication URI path structures, and similar TTPs, as per the report.

AridViper’s recent activity

  • In September, AridViper hacking group was found using an Android spyware variant called Android/SpyC32.A to snoop on WhatsApp and Telegram users.
  • In September, the Cybereason Nocturnus team noted that the Evilnum group was using Python-scripted Remote Access Trojan (RAT), dubbed PyVil RAT to target different companies across the UK and EU.

The bottom line

Several attack groups today depend on Python-based malware in their cyberattacks. The AridViper group is amplifying its hacking arsenal. The use of Python-based malware and under development code snippets could provide them with improved persistence capabilities. The addition of the new Posix and Darwin OS could make it a serious threat.