The Evilnum group, which specializes in targeting financial technology companies, has debuted a new tool: A Python-based remote access trojan (RAT), dubbed PyVil. The malware’s emergence dovetails with a change in the chain of infection and an expansion of infrastructure for the APT.
According to researchers at Cybereason, PyVil RAT enables the attackers to exfiltrate data, perform keylogging and take screenshots, and can roll out secondary credential-harvesting tools...
The latest series of campaigns observed by Cybereason that use PyVil RAT are widespread yet targeted, taking aim at FinTech companies across the U.K. and E.U. The attack vector is spear-phishing emails, which use the Know Your Customer regulations (KYC) as a lure.
“It’s ironic that threat actors would be involved in such a campaign that abuses the ‘Know Your Customer’ regulations, the process by which companies vet new customers and partners,” Tom Fakterman, threat researcher at Cybereason, told Threatpost in an interveiw. “The Know Your Customer process works in the manner that allows two companies to share proprietary info about each other during the vetting process to ensure neither party is involved in corruption, bribery, money laundering, etc. So in effect, the threat actors are preying on the FinTech companies by sending fraudulent information and documents that look real.”