PyMICROPSIA Torjan

A new information-stealing Trojan with relations to the MICROPSIA malware family has been identified, which targets Microsoft Windows systems with an onslaught of data-exfiltration capabilities– from gathering browser credentials to targeting Outlook documents.

The trojan, called PyMicropsia (since it is built with Python) has been developed by threat group AridViper, researchers said, which is known for targeting organizations in the Middle East.

PyMICROPSIA Torjan Overview

PyMICROPSIA has a rich set of information-stealing and control capabilities, including:

  • File uploading.
  • Payload downloading and execution.
  • Browser credential stealing. Clearing browsing history and profiles.
  • Taking screenshots.
  • Keylogging.
  • Compressing RAR files for stolen information.
  • Collecting process information and killing processes.
  • Collecting file listing information.
  • Deleting files.
  • Rebooting machine.
  • Collecting Outlook .ost file. Killing and disabling Outlook process.
  • Deleting, creating, compressing and exfiltrating files and folders.
  • Collecting information from USB drives, including file exfiltration.
  • Audio recording.
  • Executing commands.

PyMICROPSIA is an information-stealing Trojan built with Python and made into a Windows executable using PyInstaller. It implements its main functionality by running a loop, where it initializes different threads and calls several tasks periodically with the intent of collecting information and interacting with the C2 operator.

The actor uses Python libraries to achieve its purposes, including both built-in Python libraries and specific packages. Example: PyAudio, for audio stealing capabilities,mss, for screenshot capabilities.

Python built-in libraries are expected for multiple purposes, such as interacting with Windows processesWindows registry, networking, file system and so on.

For specific interactions with the Windows operating system, it makes use of libraries such as WMI – for interaction with Windows Management Instrumentation, win32security and ntsecuritycon– for interaction with the win32security API.

PyMICROPSIA overview

Command and Control

PyMICROPSIA implements a simple HTTP POST-based C2 protocol, using different Uniform Resource Identifier (URI) paths and variables during the communication depending on the functionality invoked.

AridViper: Active Development

Additional Payloads                            

Researchers said they identified two additional samples that are dropped and executed on the victim’s system, running additional functionality. These payloads are not Python / PyInstaller based.

PyMicropsia is designed to target Windows operating systems only, researchers found snippets in the code that check for other operating systems (such as “posix” or “darwin”).

KeyLogger functionality

The keylogging functionality hasn’t been implemented natively as part of PyMICROPSIA. Instead, the sample downloads a specific payload.

Persistence

Persistence in this malware sample can be achieved via regular methods, such as setting up registry keys, which is done as part of the Python code.

AridViper Overlaps

Code Overlaps

One of the tactics, techniques and procedures (TTPs) observed across MICROPSIA samples is the use of rar.exe to compress data for exfiltration. In this version, rar.exe is downloaded from the C2 infrastructure and used with very similar parameters.

C2 Communication Similarity

The URI path structures observed in multiple MICROPSIA samples follow a similar structure to the ones in the PyMICROPSIA samples.

Themes Used

Micropsia has also made references to specific themes in code and C2 implementations – including previous references to TV shows like The Big Bang Theory and Game of Thrones.

Conclusion

Researchers observed that several sections of the malware are still not used, signifying that it is likely a malware family under active development by this actor.

Palo Alto Networks, an American multinational cybersecurity company customers are protected from the attacks in the following ways:

  • All known AridViper tools, including MICROPSIA and PyMICROPSIA, have malicious verdicts in WildFire.
  • AutoFocus customers can track the AridViper actor and its tools.
  • Cortex XDR blocks both PyMICROPSIA and the dropped payloads.
  • C2 domains have been categorized as Command and Control in URL Filtering and DNS Security.

You can follow us on LinkedinTwitterFacebook for daily Cyber security and hacking news updates.

Also Read

WinZip 24 Insecure Communication Let Hackers Drop Malware

EU Drug Regulator Hacked – Attackers Accessed COVID-19 Vaccine Details

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.