PyVil RAT – New Trojan from the Evilnum group

A new RAT malware has been detected (PyVil RAT), the latest tool from the Evilnum group of cybercriminals. The investigation has been carried out by the Nocturnus group of the security company Cybereason, which has been investigating and closely following the Evilnum group of cybercriminals since his creation.

This investigation has discovered the PyRAT malware, a malware created to try to evade antivirus. To carry this out, the creators have developed the malware (or part of it) in the Python programming language, a language little seen in the world of malware, since generally these cybercriminals mainly use languages ​​such as C # and JavaScript, hence its name PyRAT, Python RAT.

How PyVil RAT spreads

The form of dissemination that this group has chosen has continued to be spear phishing, a scam carried out through e-mail in whose content they embed a document, generally a malicious PDF and a bait text for the victim to click, thus making it possible to system infection.

The infection, in addition to collecting all kinds of data, like almost all malware, also has a Keylogger, a screen capture option and even uses a tool (LaZagne) to obtain the credentials saved in the browsers. The evolution of this RAT (Remote Access Trojan) family seems to be oriented towards fintech, financial engineering.

The actions that PyVil RAT can take is focused on gathering information. For this purpose, it installs a keylogger that is complemented with the screen capture function and the ability to collect information about the infected system, including the version of Windows that is running, what antivirus products are installed and if there are USB devices connected. Given that, as we have already mentioned, the campaign has been directed at companies in the financial sector, it is easily imaginable how sensitive the information this Trojan can capture is, information that, exfiltrated to the server, remains at the disposal of Evilnum.

---