Home Malware Programs Remote Administration Tools PyVil RAT

PyVil RAT

Posted: September 4, 2020

The PyVil RAT is a Remote Access Trojan that can help attackers control Windows systems or collect their information through advanced features like keylogging. It's a known tool of EVILNUM, an espionage-focused threat actor whose name comes from one of its earliest backdoor Trojans. Workers in vulnerable organizations should be watchful for possible e-mail-based attacks and have anti-malware tools updated to remove the PyVil RAT accurately.

Increasing Layers of Sophistication from Trojan-Engineering Spies

Although the EVILNUM group has been under the cyber-security sector's eye for years, 2020 is proving an energized time for the threat actor. After early campaigns using a backdoor Trojan with the same name, EVILNUM pivoted to other tools, such as the Cardinal RAT, and various custom-made and third-party Trojans. New information suggests that the hackers are using another threat as their favored attack method: the PyVil RAT, with heavy tailoring for stealth and fintech-targeting preferences.

The infection of financial technology systems occurs over e-mail, with workers opening corrupted attachments that include industry-specific lures like Know Your Customer Regulations content. The Trojan's delivery method is more convoluted than in previous EVILNUM attacks. It has several obfuscation kinds, such as a misappropriated and modified version of Oracle's Java Web Start Launcher and a fake Nvidia driver. These extras prevent the Trojan's detection while it sets up a foothold for multiple attacks.

Malware experts are outlining its most significant capabilities as:

  • The Trojan harvests various system statistics and transfers them to EVILNUM. Although this is typical for a RAT, it shows an unusual interest in monitoring USB devices.
  • Attackers can control infected PCs through an SSH shell and issuing CMD system commands.
  • It can ferry data and software back and forth through conventional file-downloading and uploading activities.
  • It includes both screenshot-taking and keylogging features for collecting visual or typed information.

This list is far from inclusive. The Trojan also may expand its payload's scope with additional plugin scripts. Like the primary Trojan, these add-ons use the Python language.

The Extermination that a New RAT Deserves

The PyVil RAT is a minor departure from some of the tendencies of EVILNUM in old campaigns. It includes more advanced installation exploits and obfuscation, which accompanies a rapid expansion of the Command & Control domains. Even large, global corporations in the fintech sector are at risk from the PyVil RAT and other threats from this group and should instruct their employees for security appropriately. E-mail attachments are favored strategies for Remote Access Trojans and backdoor Trojans targeting entities with valuable data on their PCs and related devices particularly.

Phishing lures for the PyVil RAT don't require the victim's installing Nvidia updates or Oracle products. They rely on users opening corrupted documents and triggering the rest of the drive-by-download sequence unintentionally. Users can reduce their danger by updating software, maintaining strong passwords and always disabling macros.

Since it's constructed completel as advanced and hidden spyware, users shouldn't identify or uninstall this threat manually. Up-to-date anti-malware services from reputable companies represent the best chance of deleting the PyVil RAT safely.

The PyVil RAT is after the same sensitive and high-stakes data as many corporate RATs but has a heaping helping of technology supporting it. Whether it's enough to make a difference in what it collects is entirely up to those whom EVILNUM robs.

Loading...