Delaware, USA – December 3, 2019 – Python-based Remote Access Trojan is active at least from 2018 remaining under the radar of security researchers. PyXie RAT was uncovered by Blackberry Cylance researchers who revealed that this malware is used in an ongoing sophisticated cyber-criminal operation, and adversaries already managed to compromise over 30 organizations in the healthcare and education sectors. The trojan is capable of stealing cookies and credentials, keylogging, recording video, deploying other tools and malware samples onto infected systems, and it allows adversaries to perform man-in-the-middle attacks. In addition, PyXie RAT carefully removes traces of its malicious activity, which allowed it to remain undetected for such a long time. Attackers spread malware using legitimate applications and sideloading technique to install downloader which has similarities to Shifu banking trojan. It uses PowerShell commands to achieve persistence and gain the necessary privileges.
Researchers have not yet been able to attribute PyXie RAT to known threat actors and warn that the campaign is ongoing, and probably hundreds of systems in different organizations are infected with this malware. Blackberry Cylance also warned that in several cases this trojan was used to infect organizations with ransomware. You can use APT Framework rule pack to uncover traces of malware activity and signs of cyberattack at any stage of Cyber Kill Chain https://my.socprime.com/en/integrations/apt-framework