PyVil RAT by Evilnum Group

[post-views]
September 09, 2020 · 2 min read
PyVil RAT by Evilnum Group

The Evilnum group operations were first discovered in 2018. The group is highly focused on attacks on large financial technology organizations, especially on investment platforms and cryptocurrency-related companies. Most of their targets are located in Europe and the United Kingdom, but the group also carried out separate attacks on organizations in Canada and Australia. Researchers attribute this geography to the fact that most of the attacked companies have offices in several countries, and the attackers choose the one that is least protected. 

The Evilnum often uses LOLBins and common tools that can be purchased on the underground forums, and this complicates the attribution of attacks. Investigating recent attacks, researchers have discovered new malware in the arsenal of the group – Python-scripted Remote Access Trojan dubbed PyVil RAT. The trojan is modular and can download new modules that expand its functionalities. PyVil RAT can act as a keylogger and is capable of performing reconnaissance, taking screenshots, running cmd commands, opening an SSH shell, and installing additional malicious tools. 

Ariel Millahuel released new community threat hunting rule that helps to uncover traces of PyVil RAT in an organization’s network and disrupt the Evilnum group’s espionage activities: https://tdm.socprime.com/tdm/info/YgyDYAROBUOq/iYKSaHQBPeJ4_8xclmRF/?p=1

The rule has translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, LogPoint, Humio

EDR: Carbon Black, Elastic Endpoint

 

MITRE ATT&CK: 

Tactics: Execution, Defense Evasion

Techniques: Command-Line Interface (T1059), Obfuscated Files or Information (T1027)

 

Ready to try out SOC Prime TDM? Sign up for free. Or join Threat Bounty Program to craft your own content and share it with the TDM community.

 

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts

Execution Tactic | TA0002
Blog, Latest Threats — 6 min read
Execution Tactic | TA0002
Daryna Olyniychuk
JSOutProx RAT
Blog, Latest Threats — 2 min read
JSOutProx RAT
Eugene Tkachenko
Transparent Tribe APT
Blog, Latest Threats — 2 min read
Transparent Tribe APT
Eugene Tkachenko