outlook threat

NEW ARIDVIPER(APT-C-23) MALWARE TARGETS OUTLOOK USERS

Palo Alto Unit42 research team recently discovered that the hacker organization AridViper (aka APT-C-23) has launched a new type of that targets victims in the Middle East.┬áThis was discovered while investigating AridViper’s Micropsia malware.

What do we know?

  • The newly developed Python-based is called PyMicropsia, which has multiple information stealing and control functions such as keylogging, downloading and executing payloads, stealing browser credentials, clearing browsing history and configuration files, restarting the computer, and collecting Outlook Process and so on.
  • The Trojan includes both built-in Python libraries and specific software packages, including PyAudio and mss, for various purposes, including information theft, interaction with Windows processes, networking, file systems, Windows registry, etc.
  • The malware may be under active development because several sections of its code are not used, indicating that it has been used.

Insights from the code

  • Its code variables contain references to the names of many famous Hollywood actors, including Fran Drescher and Keanu Reeves.
  • Its code segment also checks other operating systems, such as Posix or Darwin.
  • According to the report, apart from code overlap, PyMicropsia and Micropsia share similar C2 communication URI path structure and similar TTP.

AridViper recent activity

  • In September, the AridViper hacker group was discovered using a variant of called Android/SpyC32.A to monitor WhatsApp and Telegram users.
  • In September, the Cybereason Nocturnus team noticed that the Evilnum group was using a remote access Trojan horse (RAT) (called PyVil RAT) written in Python scripts to target different companies in the UK and the EU.

Bottom line

Today, several attack groups rely on Python-based malware in their cyber attacks. The AridViper team is expanding its hacker library. Using Python-based malware and code fragments under development can provide enhanced persistence features. The addition of new Posix and Darwin OS may make it a serious threat.

IOCs

PyMICROPSIA
11487246a864ee0edf2c05c5f1489558632fb05536d6a599558853640df8cd78
ddaeffb12a944a5f4d47b28affe97c1bc3a613dab32e5b5b426ef249cfc29273
46dae9b27f100703acf5b9fda2d1b063cca2af0d4abeeccc6cd45d12be919531
7a168e154c920b0742da4f515eb1aef695fe6713
323efb84b5f57db00b9bb3519117a6fa0f40ef5a
8000766286b4030ffe6d52d6b380a367bf8d5120
5a81decc96549c216c9976ae33c35514
ca1d9908f32ee5c0bdd9b4efec79108f
bbf630ca23976ddf8a561ccdb477c73d


ccc7a35a3977e2a4859f1dc8becca6b7
d35ff5620e18bf5aba1d2396828436ca
f303e8ef98e6326545838cee0105cd4e
dd8485d87d8998d47de4f5dfcc9213e1
af0e580b67938afaeb783b72cf2a1c61
0425bc5de50da34fb7be133851a3193d
6903e3646c29f4f8a2187880025123f1
46cd3890b5d6586bfcc940beb7d6bfe4
8d8c011ae462913386f63974bd239a60
9e78e0647e56374cf9f429dc3ce412171d0b999e
344f1a9dc7f8abd88d1c94f4323646829d80c555
56f321518401528278e0e79fac8c12a57d9fa545
9e1399fede12ce876cdb7c6fdc2742c75b1add9a
6f251160c9b08f56681ea9256f8ecf3c3bcc66f8
91c12c134d4943654af5d6c23043e9962cff83c2
78dd3c98a2074a8d7b5d74030a170f5a1b0b57d4
1c89cea8953f5f72339b14716cef2bd11c7ecf9a
e79849c9d3dc87ff6820c3f08ab90e6aeb9cc216
c80a9a588ef27081e70f2f0d6594f0b0d7f211336d5323b896604ba6679935e5
649977c22c82c200e9fb9771982e682e684ba7f686bf470c9b65151484a0c519
2ed77be505cd246ca41bba218d8a5c59ae6049eff2c3b72ca91433ad4fe3b103
29ac6e5719aeb0cba63b837ca2cbdb6483044ed5a885c457f6858ae61e2dd4da
b2396341f77b9549f62a0ce8cc7dacf5aa250242ed30ed5051356d819b60abff
54f2aa690954ddfcd72e0915147378dd9a7228954b05c54da3605611b2d5a55e
8f176a3b9460c221f967575ab24c5e829181b0e25ff6ccdf6de91f129ba642d8
7d3a00c93cbf15df1afab245f9be47feb27c862d51581dadaec50378bee7d5fa
540bbe4d507b0e3691922d97fe1ff62c4e7668b3f1b6c3997083a1c49615e068