PyXie RAT

The PyXie RAT is a Remote Access Trojan that collects information from your computer and provides significant remote administrative capabilities to attackers. The PyXie RAT uses sophisticated means of concealment and may include other threats alongside it, such as Mimikatz or file-locking Trojans. Users should depend on appropriate anti-malware products for deleting the PyXie RAT safely.

A Python Pixie Drifting through Your Network

Since 2018, a Trojan with both data-snatching features and system-controlling ones has been conducting attacks against business entities, ones positioned in the healthcare and educational sectors primarily. The PyXie RAT is a well-put-together threat, particularly, with thorough obfuscation and stealth characteristics backing up its more-typical, but invasive, series of attack commands. It's not hard to see why the PyXie RAT evaded analysis for roughly a year until researchers finally cracked its shell.

The PyXie RAT is a fourth-stage threat whose installation routine goes through various exploits and unique tricks, most of which are for hiding itself. It uses as side-loading (like the Amavaldo banking Trojan or the Chinese PlugX) by hijacking Google and LogMeIn components. The routine also employs a Trojan downloader that's a modified version of the Shifu banking Trojan, encrypts payloads with victim-customized obfuscation, and even goes so far as to have its own, personal Python compiler.

After multiple stages with these and other deceptions, the PyXie RAT finally arrives. It supports a generous number of attacks, many of which are command-driven. It may conduct Man-in-the-Middle attacks and inject browser content, establish virtual network connections, collect cookie files, wipe system logs, record keyboard typing/video, scan local networks for further victims, monitor and exfiltrate information from USB devices and collect certificates. The Trojan also has a dedicated feature just for Mimikatz, a spyware application that grabs passwords.

Watch What's Happening While Blocks are Falling

While not all of its infection methods are using this technique, some of the PyXie RAT's installers employ a creative gaming tactic. The loading component – a Trojan with open-source origins that also sees use in file-locking Trojan attacks – is a functional Tetris game. While it's running, it injects its payload into another memory process, including some elements of the PyXie RAT's so-called 'Cobalt Mode' silently. The name comes from an ill-minded-modified version of Cobalt Strike, which is a legitimate tool for network penetration tests.

The reference to file-locker Trojans also comes back to the PyXie RAT in a second way – the Trojan sometimes installs them, itself. Since delivering such threats takes up very little of its overall command capabilities, it's incredibly likely that the administrators are providing the PyXie RAT's downloading feature as a third-person delivery vehicle to other criminals, at a price. Loss of credentials and other data remains a significant risk with all PyXie RAT infections, besides the dangers of having any media locked or encrypted.

Users should update anti-malware products for improving their rates of detection and removing the PyXie RA safely while scanning new downloads or the overall system. Afterward, victims should change compromised credentials, such as their logins, ASAP.

It's not every day that a RAT packs a private interpreter, instead of falling back to a standard, preexisting one like PyInstaller. The PyXie RAT has had a lot of work put into its campaign, and malware experts recommend all affected industries update their network security standards to compensate for it urgently.