Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

New ‘PyXie’ RAT Used Against Multiple Industries

A new Python-based remote access Trojan (RAT) has been used in campaigns targeting a wide range of industries, BlackBerry Cylance revealed this week.

A new Python-based remote access Trojan (RAT) has been used in campaigns targeting a wide range of industries, BlackBerry Cylance revealed this week.

Dubbed PyXie, the malware has been active since last year, but received little attention, although it has been observed in conjunction with Cobalt Strike beacons and a downloader seemingly linked to the Shifu banking Trojan.

The list of targeted industries includes education, conglomerate, manufacturing, healthcare, technology, IT, government, software, engineering, apparel, retail, facilities management, and recycling, BlackBerry Cylance told SecurityWeek.

The company’s researchers also discovered ransomware on several machines infected with PyXie, and which belong to healthcare and education organizations.

As part of the PyXie attacks, legitimate LogMeIn and Google binaries were used to sideload the first stage DLL, which then locates its encrypted payload. The second stage installs itself, fingerprints the victim machine, achieves persistence, and spawns a new process to inject the third stage.

Mutexes are created to ensure that a single payload instance is running at a time. If it has infected a process that runs with admin privileges, the second stage attempts to escalate its own privileges by creating a temporary service and respawning as a LOCAL SYSTEM process.

The third stage is a downloader named Cobalt Mode, which shares similarities to the Shifu banker. The malware was designed to connect to a command and control (C&C) server, fetch an encrypted payload and decrypt it, map and execute the payload in the address space of the current process, and then spawn a new process for code injection.

Cobalt Mode can check whether it runs in a sandbox or virtual machine (VM), if a smart card reader is attached to the victim machine, and if a man-in-the-middle (MitM) attack is performed to intercept requests.

Advertisement. Scroll to continue reading.

The final stage of the attack is the full-featured Python RAT called PyXie RAT, which can perform MITM interception, web-injects, keylogging, credential harvesting, network scanning, cookie theft, log clearing, video recording, payload execution, USB drive monitoring and data exfiltration, certificate theft, and software inventorying.

Other features of the malware include a WebDav server, Socks5 proxy, and Virtual Network Connection (VNC), along with the ability to enumerate domains using Sharphound.

The backdoor communicates with its C&C via HTTP/HTTPS, but also via comments left in GitHub gists. Based on received commands, it can download and execute files, update itself, retrieve specific data, perform scans, retrieve screenshots, reboot the system, clear cookies, and uninstall itself.

PyXie RAT was seen being deployed by and in conjunction with Cobalt Strike and a custom loader, which is a trojanized open source Tetris game also abused in ransomware attacks.

Related: Researchers Analyze North Korea-Linked NukeSped RAT

Related: Dridex Operators Use SDBbot RAT in Recent Attacks

Related: Recycled Source Code Used to Create New MobiHok Android RAT

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.