Newly discovered Windows information-stealing malware linked to an active threat group tracked by AridViper shows signs that it may be used to infect computers running Linux and macOS.
The new Trojan was discovered while investigating AridViper activity, also known as Desert Falcon and APT-C-23, and is known as Unit 42 PyMICROPSIA, a group of Arabic-language cyberspies that have focused Arabic on Middle Eastern targets since at least 2011.
Kaspersky Lab’s Global Research and Analysis Team (GReAT) says AridViper operates primarily in Palestine, Egypt and Turkey, and victimized more than 3,000 victims in 2015 [PDF].
New attack vector found in code
While PyMICROPSIA is a Python-based malware that uses Windows binaries generated via PyInstaller to specifically target Windows systems, Unit 42 also found code snippets that suggest its creators may be working to add multi-platform support.
” PyMICROPSIA is intended to target only the Windows operating system, but the code contains interesting snippets for checking other operating systems such as ‘posix’ or ‘darwin’,” Unit 42 said.
“This is an interesting finding, as we have not witnessed AridViper targeting these operating systems before, and it may represent new territory that participants are beginning to explore.”
Nonetheless, these checks were likely introduced by the malware’s developers when pasting code from other “projects” and will likely be removed in future versions of the PyMICROPSIA Trojan.
Linux macOS Location
Source: Unit 42
Data theft and other payload delivery
When it comes to the functionality of this Trojan, Unit 42 has unearthed many features when analyzing malware samples found on infected devices and payloads (not Python-based) downloaded from the attacker’s Command and Control (C2) server.
The list of information stealing and control functions includes data theft, device control, and other payload delivery functions.
The full list of features includes, but is not limited to
Payload downloading and execution.
Browser credential theft. Browsing history and profile clearing.
Compress RAR files to obtain stolen information.
Gather process information and terminate the process.
Gather file list information.
Reboot the machine.
Collect Outlook .ost file. Kill and disable the Outlook process.
Delete, create, compress and leak files and folders.
Collect information from USB drives, including file infiltration.
Source: Unit 42
PyMICROPSIA leverages the wide range of uses of the Python library, from message and file theft to Windows process, file system and registry interactions.
The Trojan keystroke logging feature implemented using the GetAsyncKeyState API is part of a separate payload that it downloads from the C2 server.
The downloaded payload can also be used to gain persistence by removing the .LNK shortcut from the Windows startup folder of the infected computer.
However, PyMICROPSIA will also use other persistence methods, including setting dedicated registry entries that will restart the malware after a system reboot.
According to a link found by Unit 42 between PyMICROPSIA and AridViper’s MICROPSIA malware, the threat actors “maintain a very active development profile, creating new implants that attempt to bypass the target’s defenses.