Palo Alto’s Unit42 research team has recently found hacking group AridViper (aka APT-C-23) dropping a new malware to target victims in the Middle Eastern region. This was discovered while investigating AridViper’s Micropsia malware.
What do we know?
- The newly developed Python-based malware—called PyMicropsia—has several information-stealing and control capabilities such as keylogging, downloading and executing payloads, stealing browser credentials, clearing browsing history and profiles, rebooting machines, collecting Outlook processes, and many more.
- The trojan contains both built-in Python libraries and specific packages including PyAudio and mss for multiple purposes including information-stealing, interacting with Windows processes, networking, file system, Windows registry, and so on.
- The malware is likely under active development as several of its code sections were found unused, indicating that it is.
Insights from the code
- Its code variables contained references to multiple famous Hollywood actor names, including Fran Drescher and Keanu Reeves.
- Its code snippets also check for other operating systems such as Posix or Darwin.
- Besides code overlap, PyMicropsia and Micropsia share similar C2 communication URI path structures, and similar TTPs, as per the report.
AridViper’s recent activity
- In September, AridViper hacking group was found using an Android spyware variant called Android/SpyC32.A to snoop on WhatsApp and Telegram users.
- In September, the Cybereason Nocturnus team noted that the Evilnum group was using Python-scripted Remote Access Trojan (RAT), dubbed PyVil RAT to target different companies across the UK and EU.
The bottom line
Several attack groups today depend on Python-based malware in their cyberattacks. The AridViper group is amplifying its hacking arsenal. The use of Python-based malware and under development code snippets could provide them with improved persistence capabilities. The addition of the new Posix and Darwin OS could make it a serious threat.