A new Python-based remote access Trojan (RAT) has been used in campaigns targeting a wide range of industries, BlackBerry Cylance revealed this week.
Dubbed PyXie, the malware has been active since last year, but received little attention, although it has been observed in conjunction with Cobalt Strike beacons and a downloader seemingly linked to the Shifu banking Trojan.
The list of targeted industries includes education, conglomerate, manufacturing, healthcare, technology, IT, government, software, engineering, apparel, retail, facilities management, and recycling, BlackBerry Cylance told SecurityWeek.
The company’s researchers also discovered ransomware on several machines infected with PyXie, and which belong to healthcare and education organizations.
As part of the PyXie attacks, legitimate LogMeIn and Google binaries were used to sideload the first stage DLL, which then locates its encrypted payload. The second stage installs itself, fingerprints the victim machine, achieves persistence, and spawns a new process to inject the third stage.
Mutexes are created to ensure that a single payload instance is running at a time. If it has infected a process that runs with admin privileges, the second stage attempts to escalate its own privileges by creating a temporary service and respawning as a LOCAL SYSTEM process.
The third stage is a downloader named Cobalt Mode, which shares similarities to the Shifu banker. The malware was designed to connect to a command and control (C&C) server, fetch an encrypted payload and decrypt it, map and execute the payload in the address space of the current process, and then spawn a new process for code injection.
Cobalt Mode can check whether it runs in a sandbox or virtual machine (VM), if a smart card reader is attached to the victim machine, and if a man-in-the-middle (MitM) attack is performed to intercept requests.
The final stage of the attack is the full-featured Python RAT called PyXie RAT, which can perform MITM interception, web-injects, keylogging, credential harvesting, network scanning, cookie theft, log clearing, video recording, payload execution, USB drive monitoring and data exfiltration, certificate theft, and software inventorying.
Other features of the malware include a WebDav server, Socks5 proxy, and Virtual Network Connection (VNC), along with the ability to enumerate domains using Sharphound.
The backdoor communicates with its C&C via HTTP/HTTPS, but also via comments left in GitHub gists. Based on received commands, it can download and execute files, update itself, retrieve specific data, perform scans, retrieve screenshots, reboot the system, clear cookies, and uninstall itself.
PyXie RAT was seen being deployed by and in conjunction with Cobalt Strike and a custom loader, which is a trojanized open source Tetris game also abused in ransomware attacks.