New Python Malware targeting FinTech Companies

Researchers based at cybersecurity firm Cybereason, have uncovered a new malware been deployed by a well-known and seemingly well-resourced hacking operation codenamed Evilnum. The group has been deemed an advanced persistent threat and has been operating since 2018. Past research published by ESET revealed that one of the factors contributing to the group’s continued success is that they constantly change tactics while targeting FinTech companies in Europe and the UK, with some victims been as far-flung as the Americas and Australia. This constant variation in tactics has meant that the group has been seen using different components written in Javascript and C#. The latest attack campaign sees yet another new tool been added to the groups already varied toolbox, a remote access trojan (RAT) written in Python. The malware has been called PyVil by Cybereason researchers.

Typically, a RAT can be seen as trojans that create a backdoor onto a target machine with heightened privileges. The attacker can then access the machine remotely to perform a variety of functions like steal data or drop secondary payloads. In the case of PyVil, the malware is capable of allowing attackers to secretly steal corporate information through the use of keylogging and taking screenshots, as well as the ability to collect information about the infected system, including which version of Windows is running, what anti-virus products are installed and whether USB devices are connected. In the past, the group relied on spear-phishing campaigns to distribute the malware which was contained within a .zip archive.

This has changed in that while the group still relies upon spear phishing for distribution the compromise begins with emails containing an LNK file masquerading as a PDF. Those working for FinTech companies are advised that phishing emails claim to contain identification documents associated with banking, including utility bills, credit card statements, and even driver’s license photos. These documents are often required as part of the law for individuals to use a banks services and are commonly referred to as know your customer (KYC) documents.

new python malware targeting fintech companies

These documents are dealt with on a daily basis by financial institutions to verify the identities of customers, this is why such tactics were chosen by the group so as to try and trick employees into opening PDF files they believe to contain such documents. Once opened the malware’s infection chain begins which will ultimately lead to the malware connecting to the group’s command and control server network. From there the final payloads of the malware are dropped onto the system.

Stealth is Key

The group has gone to several lengths to try and ensure the malware remains undetected for long periods of time so that it can better steal vital information FinTech companies rely on to conduct business. To do this the malware’s code in bundled behind legitimate software tools to bypass detection. Further, the code is heavily obfuscated. The malware also uses other tools to add functionality like LaZagne to better steal credentials. The use of tools developed by others has been a consistent tactic employed by Evilnum, even if the tools themselves are changed at swapped out at will. In the recent past, the group has used malware bought as part of a malware-as-a-service offering in previous campaigns. While the group does change tactics with how it distributes or infects machines, some tactics are unlikely to change such as the continued targeting of FinTech companies.

In July 2020, reports emerged of yet another campaign conducted by the group. Again targeting FinTech companies and again predominantly companies residing in the EU and the UK. Just as in the case of the above campaign he aims is to infiltrate corporate networks, grab access credentials, and steal valuable financial information that can then either be used for fraudulent purchases or sold on in bulk to other criminals. In yet another eerily similar turn of events Evilnum's preliminary attack vector is a common one: approach the target with spear phishing emails. This time, however, the spam emails contain a link to a .zip file hosted on Google Drive. Once extracted, malicious .LNK files will lead to decoy documents that appear to be files relating to Know Your Customer (KYC) data, such as copies of driving licenses or bills with proof of address but are carrying malware.

The campaign detailed by researchers in July of this year again bundled several legitimate tools and tools less legitimate to carry out its operation. Tools included ActiveX components (OCX files) containing TerraLoader, a dropper for other malware made available to Golden Chickens customers, such as the More_eggs backdoor, a DLL search order hijacking suite, and a sophisticated remote access program. According to ESET,

“The targets are very specific and not numerous. This, and the group's use of legitimate tools in its attack chain, have kept its activities largely under the radar. We were able to join the dots and discover how the group operates, uncovering some overlaps with other known APT groups. We think this and other groups share the same MaaS provider, and the Evilnum group cannot yet be associated with any previous attacks by any other APT group”

Why FinTech Companies?

FinTech companies present a wealth of opportunities to hackers with the skill sets to break into company networks. The entire industry has seen startling growth in the last several years, namely due to the ease of access to financial products and the low-cost structures they provide by relying on modern technology to drop costs and provide innovative solutions. This in turn has generated a wealth of attention which has turned into riches for some start-ups. However, not all attention is good and hackers were also watching and saw an opportunity as questions started being asked as to the start-up's ability to protect personal and financial information. While not directly related to Evilnum and their campaigns, the recent scams that struck Twitter and a number of its high profile users including Elon Musk is an example of the opportunities created for hackers by trending FinTech ideas.

The Twitter scam highlighted how scammers can take advantage of cryptocurrency and blockchain technology without even much knowledge of how the technology works. What of those with the skills to target the companies themselves? That’s where hackers like those that makeup Evilnum come in and why they are targeted is because they possess a vast amount of customer financial data, including social security numbers, credit card information, and bank account information. These data points would facilitate the task of accessing online banking systems without the users’ consent. Further, hackers can also use this information for identity theft and submit credit card or loan applications. This not only damages the user’s credit score but also the reputation of the institution issuing the instrument. As many of these companies classify themselves as start-ups they do not have the resources to dedicate to keeping that valuable information safe. This in turn creates an opportunity for a hacker that is hard to ignore.

While the companies are responsible for the data they collect from users and need to do so, users are not helpless in preventing such attacks and the devastating effects they have on the individual. Antivirus software is perhaps the most common solution users rely on to prevent cyberattacks on their personal computers and it is a tried and tested way to prevent a vast majority of other malware attacks like ransomware. However, where possible the correct suite should be purchased in favor of the free version and keep the databases updated.

This is due to many security firms providing extra products in paid versions that specifically protect against financial crimes and fraud. This will guarantee that the system works smoothly. If malware databases are up to date, it ensures protection against new threats. Along with purchasing a reputable antivirus solution some web browsers inform users automatically if a website fails to provide a secure environment for their personal information. If users visit any website that triggers those warnings, they should avoid sharing critical information as it may be accessed or intercepted by a third party.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk logo

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal