Experts at BlackBerry Cylance have spotted a new Python-based remote access Trojan (RAT) that has been used in campaigns targeting a wide range of industries.
The threat actors behind PyXie were observed attempting to deliver ransomware to the healthcare and education industries with this new RAT.
Attackers used legitimate LogMeIn and Google binaries to
As part of the PyXie attacks, legitimate LogMeIn and Google binaries were used to
The malware creates two
“If the process infected with the second stage payload is running with administrator privileges, the malware will attempt to escalate its own privileges.” continues the analysis. “It does so by creating and starting a temporary se
The third stage payload is a downloader dubbed Cobalt Mode, share similarities to the Shifu banking Trojan. Upon execution, it connects to a command and control (C&C) server, fetches an encrypted payload and decrypts it, maps and executes the payload in the address space of the current process, and then spawns a new process for code injection.
Cobalt Mode also checks whether it runs in a sandbox or
The last stage of the attack chain it the PyXie RAT that supports the following features:
The communication with C2 is implemented via HTTP/HTTPS, a backup mechanism uses comments left in GitHub Gists.
The malware is able to download and execute files, update itself, retrieve specific data, perform scans, retrieve screenshots, reboot the system, clear cookies, and uninstall itself from the infected system.
Experts observed the RAT being deployed in conjunction with Cobalt Strike and using as a loader a Trojanized open source Tetris game.
Technical details about the malware, including the Indicators of Compromise (IOCs) are available in the report published by
(SecurityAffairs – PyXie RAT, malware)