Palo Alto Unit42 research team recently discovered that the hacker organization AridViper (aka APT-C-23) has launched a new type of malware that targets victims in the Middle East. This was discovered while investigating AridViper’s Micropsia malware.
What do we know?
- The newly developed Python-based malware is called PyMicropsia, which has multiple information stealing and control functions such as keylogging, downloading and executing payloads, stealing browser credentials, clearing browsing history and configuration files, restarting the computer, and collecting Outlook Process and so on.
- The Trojan includes both built-in Python libraries and specific software packages, including PyAudio and mss, for various purposes, including information theft, interaction with Windows processes, networking, file systems, Windows registry, etc.
- The malware may be under active development because several sections of its code are not used, indicating that it has been used.
Insights from the code
- Its code variables contain references to the names of many famous Hollywood actors, including Fran Drescher and Keanu Reeves.
- Its code segment also checks other operating systems, such as Posix or Darwin.
- According to the report, apart from code overlap, PyMicropsia and Micropsia share similar C2 communication URI path structure and similar TTP.
AridViper recent activity
- In September, the AridViper hacker group was discovered using a variant of Android spyware called Android/SpyC32.A to monitor WhatsApp and Telegram users.
- In September, the Cybereason Nocturnus team noticed that the Evilnum group was using a remote access Trojan horse (RAT) (called PyVil RAT) written in Python scripts to target different companies in the UK and the EU.
Today, several attack groups rely on Python-based malware in their cyber attacks. The AridViper team is expanding its hacker library. Using Python-based malware and code fragments under development can provide enhanced persistence features. The addition of new Posix and Darwin OS may make it a serious threat.