Dangerous ‘Python’-based Spy ‘RAT ‘attacks FinTech! – Evilnum lives up to name! – Watch out for ‘Golden Chickens’ too!

Dangerous ‘Python’-based Spy ‘RAT ‘attacks FinTech! – Evilnum lives up to name! – Watch out for ‘Golden Chickens’ too!

The Evilnum APT has added the ‘RAT’ to its ‘repertoire’ as part of a major change-up in its TTPs.

This group, which specialises in targeting financial technology companies, has launched a new weapon – a Python-based remote access trojan (RAT), named PyVil. The malware’s emergence links to a change in the chain of infection & an expansion of APT infrastructure.


Says researchers at Cybereason, PyVil RAT lets the attackers ex-filtrate data, perform key-logging & take screenshots, & can use secondary credential-harvesting tools e.g. LaZagne (an open source application used to retrieve passwords stored on a local computer).

Evilnum 1st appeared during 2018 using JavaScript malware, & since, it has developed various components written in JavaScript & C# (such as Cardinal RAT).

It’s also been making use of malware-as-a-service offerings from an underground provider known as Golden Chickens, according to an analysis published Thur. (these tools include More eggs, ‘Terra Preter’, ‘Terra Stealer’ & ‘Terra TV’).

Spear-phishing E-mails

The latest campaigns observed by Cybereason that use PyVil RAT are widespread, yet targeted, taking aim at FinTech companies across the UK and EU. The attack tool is spear-phishing emails, which use the Know Your Customer regulations (KYC) as a lure.

“It’s ironic that threat actors would be involved in such a campaign that abuses the ‘Know Your Customer’ regulations, the process by which companies’ vet new customers & partners,” Tom Fakterman, Threat Researcher at Cybereason, explained in an interview.

Know Your Customer

“The Know Your Customer process works in the manner that allows 2 companies to share proprietary info about each other during the vetting process to ensure neither party is involved in corruption, bribery, money laundering, etc.

So, in effect, the threat actors are preying on the FinTech companies by sending fraudulent information & documents that look real.”

New RAT Sets Up Nest

PyVil RAT was compiled with py2exe, which is a Python extension which converts Python scripts into Microsoft Windows executables. This gives the RAT the capacity to download new modules to expand functionality.

“The Python code inside the py2exe is obfuscated with extra layers, in order to prevent decompilation of the payload using existing tools,” according to the research. “Using a memory dump, we were able to extract the 1st layer of Python code.

The 1st piece of code decodes & decompresses the 2nd layer of Python code. The 2nd layer of Python code decodes & loads to memory the main RAT & the imported libraries.”

Configuration Module

PyVil RAT also has a configuration module that holds the malware’s version, command-&-control (C2) domains and instructions for which browser to use when communicating with the C2. The C2 communications are via POST HTTP requests & are RC4 encrypted using a hardcoded key encoded with Base64, according to analysis.

Cybereason found that PyVil RAT has a host of functionality commands, including: ‘Act as a keylogger’; ‘run CMD commands’; ‘take screenshots’; ‘drop & upload other Python scripts & executables’; ‘open an SSH shell’; & ‘collect information’ such as the antivirus products installed on the machine, Chrome version & which USB devices are connected.

During Cybereason’s analysis, PyVil RAT also received from the C2 a custom version of LaZagne, which the Evilnum group has used before.

C2 infrastructure

Evilnum’s C2 infrastructure is growing & expanding as well.

“While the C2 IP address changes every few weeks, the list of domains associated with this IP address keeps growing,” the researchers outlined. “A few weeks ago, 3 domains associated with the malware were resolved to the same IP address. Shortly thereafter, the C2 IP address of all 3 domains changed.

In addition, 3 new domains were registered with the same IP address & were used by the malware. A few weeks later, this change recurred. The resolution address of all domains changed in the span of a few days, with the addition of 3 new domains.”

Infection Routine

Evilnum has launched other new nasty tricks in parallel with rolling out PyVil RAT, the researchers noted. For example, the infection chain has changed to include a multi-process delivery routine for the payload, & this is opposed to relying on a 1st-stage JavaScript Trojan with backdoor capabilities to establish an initial foothold on the target.

The group is using modified versions of legitimate executables in an attempt to remain undetected by security tools, he further observed.


Evilnum has always hitherto relied on spear-phishing emails containing ZIP archives housing 4  LNK files, according to the analysis. The LNK files masquerade as photos of drivers’ licenses, credit cards & utility bills; but when a target clicks on it, the Evilnum JavaScript trojan is launched, which connects to the C2, & sets about its espionage work.

“Up to this date, as described in this publication, 6 different iterations of the JavaScript trojan have been observed in the wild, each with small changes that don’t alter the core functionality,” the researchers observed.

“The JavaScript agent has functionalities such as upload & download files, steal cookies, collect antivirus information, execute commands and more.”


The new routine is multi-stage & complex. It starts by including just 1 LNK file in the ZIP archive attached to an email. When the LNK file is executed, a different JavaScript file is called, which acts only as a 1st-stage dropper, with no C2 capabilities (the file name is ddpp.exe).

“The ddpp.exe executable appears to be a version of Oracle’s legitimate Java Web Start Launcher, modified to execute malicious code,” says Cybereason.

“When comparing the malware executable with the original Oracle executable, we can see the similar metadata between the files. The major difference at 1st sight is that the original Oracle executable is signed, while the malware is not.”


The dropper creates a scheduled task named “Dolby Selector Task,” which begins a 2nd stage of retrieving the payload by unpacking shellcode. This shellcode connects to the C2 using a GET request, & receives back another encrypted executable, which is saved to disk as “fplayer.exe.”

“fplayer.exe appears to be a modified version of [Nvidia’s legitimate] Stereoscopic 3D driver Installer,” the analysis detailed. “In here as well, we can see the similar metadata between the files with the difference being that the original Nvidia executable is signed, while the malware is not.”

When executed, fplayer.exe file unpacks more shellcode, which forms its own C2 connection & downloads yet another payload – the final piece of code. This is decrypted, then loaded to memory & serves as a fileless RAT: a.k.a., PyVil.

Nocturnus Research

“EvilNum knows what they are doing, as they regularly change their TTPs to avoid detection,” Fakterman explained. “In the case of the Nocturnus research, EvilNum is using several new tricks as we discovered a significant deviation from the infection chain, persistence, infrastructure & previously observed tools.

We expect EvilNum to continue to grow its arsenal of tools in the future with more innovative tactics & tools to allow them to stay under the radar.”


To protect themselves, businesses should take some basic precautions when it comes to email security, Fakterman noted.

“Time & time again threat actors revert to the time-tested infection method of phishing emails,” he commented.

“Enterprises need to constantly evolve their stack of security tools to more easily root out the stealth tactics being deployed. The employees of enterprises shouldn’t be opening email attachments from unknown sources and should avoid downloading information from dubious websites.”