Researchers have discovered a new information-stealing trojan, which targets Microsoft Windows systems with an abundance of data-exfiltration capabilities – from collecting browser credentials to targeting Outlook files.
This newly found Python-based malware family targets the Outlook processes, & browser credentials, of Microsoft Windows victims.
The trojan, called Py Micropsia (due to it being built with Python) has been developed by threat group Arid Viper, researchers observed, which is known for targeting organisations in the Middle East.
Threat Group
“Arid Viper is an active threat group that continues developing new tools as part of their arsenal,” researchers with Palo Alto’s Unit 42 research team stated in a Mon. analysis.
“Also, based on different aspects of Py Micropsia that we analysed, several sections of the malware are still not used, indicating that it is likely a malware family under active development by this actor.”
OST Files
The trojan’s information-stealing abilities include file uploading, payload downloading/execution, browser-credential stealing (& the ability to clear browsing history & profiles), taking screenshots & keylogging.
In addition, the malware can collect file listing information, delete files, reboot machines, collect information from USB drive & record audio; as well as harvest Outlook .OST files & kill/disable Outlook processes.
An OST file is an offline folder file in Microsoft Outlook, which makes it possible for users to work offline by synchronising changes with the Exchange server the next time they connect. OST files may contain email messages, contacts, tasks, calendar data & other account information.
The Trojan
The trojan has been made into a Windows executable by Py Installer, a Python package allowing applications into stand-alone executables. When downloaded, the malware “implements its main functionality by running a loop, where it initialises different threads & calls several tasks periodically with the intent of collecting information & interacting with the C2 operator,” according to researchers.
The threat player uses both built-in Python libraries & specific packages for information-stealing purposes – including Py Audio (enabling audio stealing capabilities) & mss (allowing screenshot capabilities).
“The usage of Python built-in libraries is expected for multiple purposes, such as interacting with Windows processes, Windows registry, networking, file system & so on,” commented researchers.
Microsoft Windows
Py Micropsia has relations to the Micropsia malware family, another Arid Viper malware known for targeting Microsoft Windows . These links include code overlaps; similar tactics, techniques & procedures (TTPs), such as the use of rar.exe to compress data for exfiltration; & similar command-&-control (C2) communication URI path structures.
Micropsia has also made references to specific themes in code & C2 implementations – including previous references to TV shows such as The Big Bang Theory & Game of Thrones.
Of note, in Py Micropsia’s code variables, researchers found references to multiple famous actor names, actors Fran Drescher & Keanu Reeves, which “seems in line with previous observations of themes,” observed researchers.
Arid Viper
While investigating Py Micropsia’s capabilities, researchers explained they also identified 2 additional samples contained in the attacker’s infrastructure.
These extra samples, which are downloaded & used by the trojan during its deployment, provide persistence & keylogging capabilities. They are not Python/ Py Installer based.
Py Micropsia is designed to target Windows operating systems only, but researchers found snippets in the code that check for other operating systems (such as “posix” or “darwin”). Posix, or the Portable Operating System Interface, is a family of standards used for maintaining compatibility between operating systems; & Darwin an open-source Unix-like operating system.
Python Code
“This is an interesting finding, as we have not witnessed Arid Viper targeting these operating systems before & this could represent a new area the actor is starting to explore,” they explained.
“For now, the code found is very simple, & could be part of a copy & paste effort when building the Python code, but in any case, we plan to keep it on our radar while researching new activity.”
https://www.cybernewsgroup.co.uk/virtual-conference-january-2021/