News | 12/11/2019

Hackers Used Nasty Python RAT, PyXie to deliver Ransomware

About: The researchers at Blackberry Cylance recently discovered a Python-based Trojan named PyXie . It is being used by cyber-criminals to run a sophisticated hacking campaign & deliver Ransomware to the educational & healthcare organizations. Refe...  Read More  

| News | Hackers Used Nasty Python RAT, PyXie to deliver Ransomware

The cyber security researchers at Blackberry Cylance recently discovered a highly sophisticated hacking campaign targeting educational & healthcare organizations. The operation behind this attack was previously unknown; however, it has been named as PyXie by the researchers.

Data Breach - Python RAT

According to the tech reports, PyXie first surfaced to lime-light in year 2018. It remained under the radar of the cyber security industry until December 2019.

Python RAT or PyXie is a Python based Trojan that is currently being employed in a hacking operation by cyber criminals. This nasty malware gives the attackers illicit access to Windows based systems, thus enabling them to monitor the activities of targeted system & steal sensitive information of the user.

Detailed analysis conducted by the researchers reveals that Python RAT is working in conjunction with Cobalt Strike beacons & a downloader. It also bears behavioral similarities to a pernicious Banking Trojan named Shifu.

Malicious Functions Of PyXie Remote Access Trojan

Some of the malicious functions that PyXie RAT (Remote access Trojan) is capable of carrying out are mentioned below:

1). Act as a Key-logger (harvests pressed keys)

2). Gathers passwords & other sensitive information

3). Records Video

4). Steals cookies from the visited sites

5). Performs famous man in the middle attacks

6). Invites & deploys other malware on to infected systems

7). Monitors USB drives

PyXie RAT was found in multiple incident response (IR) engagements conducted by the researchers at Blackberry Cylance. They named the malware as PyXie because its complied code uses a ‘.pyx’ file extension rather than using ‘.pyc’ that associates with Python.

Researchers have strong evidences of the cyber threat-actors trying
to target Ransomware attacks on the educational & healthcare organizations.

Key-highlights of the Sophisticated Campaign that deploys PyXie

The research of analysts at Cylance has rolled out a list of key-features of PyXie RAT. Some of the key-features are mentioned below:

1). PyXie is capable of using legit LogMeIn & Google Binaries to side load the payloads.

2). It uses a trojanized Tetris application to place & execute Cobalt Strike of 3. stagers from the internal network shares.

3). PyXie uses a downloader named “Cobalt Mode” that bears resemblance to Shifu, a banking Trojan.

4). It possesses the capability of collecting active directory information from victims by using “Sharphound”.

5). PyXie uses a custom compiled Python Interpreter. This interpreter uses scrambled operation codes to hinder the analysis by the cyber-security researchers.

6). It uses a modified RC4 Algorithm to encrypt the payloads by assigning a distinctive key to each infected host.

How PyXie Carries Out Attack?

Stage 1:

Initially, the campaign uses a side-loading technique to influence & control the legitimate applications. Hence, it loads the first stage of malware attack.

In this stage, PyXie uses two nasty DLL variants to target renowned legit applications namely, LogMeIn and Google Binaries.

Once these malicious DLL are loaded, it locates its encrypted payload. This payload is read from the disk & then decrypted using AES-128 algorithm in Cipher Mode of operation by the loader.

The decryption of the pay loader results in the installation of second stage of malware.

Stage 2: PyXie Infection Process:

PyXie generates the Hardware ID Hash to collect the fingerprint of the targeted system. This Hardware ID hash is later used for seeding various new functions. It also generates 2 mutexes (Mutual Exclusion Object) to prevent multiple payload instances from running simultaneously.

The research by Cylance has revealed that, in case a process having administrator rights is infected with second stage payload, the malware will endeavor to enhance its privileges.

It is achieved by creating & using a temporary service & then running as a LOCAL SYSTEM Process. In order to remain under the radar, the malware deletes the temporary service from the Service Control Manager.”

Python RAT Attack

Python RAT then performs the installation process & loads the corresponding payload copied to a sub-directory in %APPDATA% folder.

The APPDATA Directories targeted by the Python RAT installation includes Wireshark, WinRAR, TeamViewer, Notepad++, Mozilla, Apple Computer, AnyDesk & more.

Third Stage:

In this stage, the researchers detected a downloader that was assigned Cobalt Mode on the basis of certain debug information.

According to analysis, the Cobalt Mode carried out lot of primary functions. These are mentioned below:

1). It connects to a command & control (C&C) Server.

2). It downloads an encrypted payload.

3). It decrypts the payload.

4). It maps & executes the payload in the address space of the ongoing process.

In the Final Stage, PyXie RAT is compiled into executables. At this stage, the developers of malware compile Python Interpreter, which aids in loading an archive containing PyXie’s byte code from the memory.

Hits: 630

Leave a Reply

Your email address will not be published. Required fields are marked *

Did you find the article informative? Yes NO

Get Regular Updates Related to All the Threats

Want to stay informed about the latest threats & malware? Sign up for our newsletter & learn how to get rid of all types of threats from your computer.

Virus Removal Guidelines
Plot No 319, Nandpuri- B Pratap Nagar
Rajasthan 302033
Phone: +91 9799661866