A new Python RAT is recently been discovered by BlackBerry Cylance researchers. Although, the Trojan was active since 2018 but didn’t get much attention.
According to the researchers, the PyXie has been observed to deploy in conjunction with Cobalt Strike beacons along with a downloader having similar functionality to Shifu banking Trojan. The PyXie is detected to run a cyber attack campaign that targets healthcare and education industries to attempt dropping ransomware threats.
RAT (Remote access Trojan) belongs to the family of backdoor trojan threats that can silently get installed on the host machine and grants the remote hackers to execute various malicious commands. There are various RAT trojan detected in the past like Quasar RAT, BalkanRAT, Cardinal RAT, ATILLA STEALER and WebMonitor RAT. Likewise, the PyXie can also be used to steal login credentials, install keyloggers and record video so on.
The research team of BlackBerry Cylance performed various incident response engagements to the infected host machines. Here is the conclusions drawn by the team.
- Legitimate LogMeIn and Google binaries used to sideload payloads.
- A Trojanized Tetris app to load and execute Cobalt Strike stagers from internal network shares.
- Use of a downloader with similarities to Shifu named “Cobalt Mode”.
- Use of Sharphound to collect active directory information from victims.
- A custom compiled Python interpreter that uses scrambled opcodes to hinder analysis.
- Use of a modified RC4 algorithm to encrypt payloads with a unique key per infected host.
Distribution And Installation
The Pyxie RAT is distribution and installation has mainly three stages which initiates with the help of side-loading. In this technique the malware utilizes a malicious versions of legitimate apps. In this case, it is Tetris game- an open-source game which is actually a trojanized version. Thus, if any user downloads the malicious version of the Tetris game, then it is the first stage of getting infected with Pyxie RAT. This helps the malware is escape the anti-virus detection as it flags as legitimate app.
The second stage involves installing the malware itself and preparing for the final stage. Once the victims downloads the game, it uses Powershell to escalate admin privileges and gain persistence within the host machine. Now, the final stage is achieved by downloading the “Cobalt-mode” as the final payload. This is done to connect hacker to the host machine using command and control server. For this the malware authors abuses a legitimate penetration testing tool called Cobalt Strike.
There are various functionalities of the Cobalt Mode like:
- Establishing communication by connecting via C&C server,
- Download the encrypted payload and decrypt it on the host machine,
- Mapping to the loader process to its address space and executing the payloads;
- Spawning a new process to inject code for the final or third stage payload.
The Cobalt Mode when achieved on the host machine can carry out various environmental checks like if the system is running on a virtual machine or sandbox. Also, it can detect any smart card reader attached to the host machine that determine request being intercepted for a man-in-the-middle (MitM) attack.
If Everything goes well and the final stage payload is installs “a full-featured Python RAT” that is compiled into an executable”. To create an executable, the RAT uses their own complied Python interpreter instead of using Py2Exe or PyInstaller.
PyXie RAT Functionality
- Man-in-the-middle (MITM) Attack Interception
- Keylogging and harvesting credentials
- Recording videos
- Network Scanning, Cookie theft and Clearing logs
- Monitoring USB drives and exfiltrating data
- Certificate theft
- Virtual Network Connection (VNC)
PyXie RAT Used In Ransomware Campaigns
Along with the above functionalities, the PyXie RAT is also being used in various ransomware attacks that targeted various industries but most of them were healthcare and education.