PyVILRAT Remote Access Trojan

PyVil (also known as PyVILRAT) is a newly observed modular and fileless remote access trojan (RAT) created by the Evilnum advanced persistent threat group for their own use.

Written in Python, it is intended primarily for use against financial technology organisations and has been observed in campaigns across the UK and EU.

Once installed it will connect to a command and control server using HTTP POST requests, with all communications encrypted using RC4. It will then send user and system information before awaiting further commands.

Once connected it can do the following :-

  • record screenshots and keystrokes
  • download and execute secondary payloads or Python scripts
  • open SSH shells
  • execute command-line arguments.

Indicators of Compromise

IP addresses

  • 176.107.188[.]175
  • 185.236.230[.]25
  • 193.56.28[.]201
  • 5.206.227[.]81

Domains

  • corpxtech[.]com
  • crm-domain[.]net
  • extrasectr[.]com
  • fxmt4x[.]com
  • leads-management[.]net
  • quotingtrx[.]com
  • telecomwl[.]com
  • telefx[.]net
  • trquotesys[.]com
  • veritechx[.]com
  • voipasst[.]com
  • voipreq12[.]com
  • voipssupport[.]com
  • vvxtech[.]net
  • xlmfx[.]com

SHA256 hashes

  • 048388c04738763c0ec57124e3a88fc82a545639636fb5ed6cd397881dd6ced9
  • 062ed9f40ca330f0fed63cbdd401521deb23f93b5527038fc88f70ed9acadf39
  • 0b95c8c70d2dad47baef15d0299cd7e273e8a59ae0420921632b21789a80aef0
  • 0c920e7dfdd0028d9d15344c2e9c64ae57c2c9417dc7b22b865fdfe0cc0b8b1f
  • 0d7dc074be83f1096f39ba95bfc4e1a17c411dbed0e5eeeb48e88a12d79b541c
  • 11d9a87b144c0eaf71e8dea1b08117d464ed7f24a6e716e935e0c7f3a7e03edc
  • 130e0536cdb4e9f7cfb273dbabc9ee196a51d1217cd4b981847af6314f46b052
  • 1a3f39dc604dbca691aefeaf1d5a372fbca3650003d4145671525a2960e1239e
  • 1aa9ecb83acbebc64b23f7192e763cf4bd278f10df2223512087b87230e411b4
  • 25c119a7ee5b53212b5992992907a7772610b491ce2992c860dc206d0f3f844d
  • 3b7cd07e87902deae4b482e987dea9e25a93a55ec783884e8b466dc55c346bce
  • 3f3738e4606ea85a382319269405ee72a928a8a761273914c52342b116cbddfc
  • 4574239efb728913fd379cc914039b1d7fa8c3ac8d6e3503d6f5bc73de504c96
  • 4ce0954ca7173bd696afe8f44bf48027b3d4d630c0cce414b95d6715e662b5fb
  • 4e396586fd6dfcc24686aae73ba5c336939ee7a7aa9ffb76a1f78867926c6e4b
  • 568ec03a27740f8babc3513948a44ce1a2944d05f3d454ce345e67a0634a4a73
  • 5aa1109d057e830d6f3faf4b6ff6f69075d158dadb5f46794b3e07685922d09d
  • 6136309a207b89ccd423f8c087a9cdd633d8f5e78b8ebd576b7750b49274c532
  • 63a4b6ef72e0a3a0886364a5ebcc0009c6da8c27d93cf9d6c8107b6f025fed34
  • 79b032dbb8ade21b97be5dcaa63c974b6cdbb3c6f32b4abf2872288ae43ea4a6
  • 79e21ff9142821b2e3d6e3dc8d812e86da231dbbd1217415b4add748a4c1ce3c
  • 79e21ff9142821b2e3d6e3dc8d812e86da231dbbd1217415b4add748a4c1ce3c
  • 83c375dcdadb8467955f5e124cf4e8d6eac78c51c03fb7393dc810a243ba1a90
  • 8dfb2f5c74f38ffb39bfc17bf6a62d5822c458215619c1b2ec2eb345f21d1265
  • 9dfb040dab1fd05fbccf69ff3461295815edc463a61a6304af18a72f82bce534
  • a787ecc380021b3b7115c97242ba06706a0a1e41efe1b734552d74384bae22ec
  • a81f152a31c03b45dbcf29439050bbe080b1f6308b032aebc0205886d1f41e5d
  • bdc20527d5afc4f13fa45c9182c8f58eb88cb4edc76aa38be83d95fd3365ce0a
  • c4b90fdec0848ad68abe18a42889ec0e5e45b7678afbf0353fedf53915b76275
  • c7cf5c62ecfade27338acb2cc91a06c2615dbb97711f2558a9379ee8a5306720
  • cff5ed4de201256678c7c068c1dbda5c47f4b322b618981693b1fd07a0ea7e68
  • d6343a07357e5443d6a59f10e16a06796c46bec3cbe5968ac04b0f082d6fcecf
  • db5d09edc2e9676a41f26f5f4310df9d13abdae8011b1d37af7139008362d5f1
  • e678ec3dbccfbd5cf0f303d2841e726ac7628044de5297bf9ebe791d66270a2f
  • f388a2ebbb6a7e577e8aa6205e87d5b2975e7c08464123cc36e8e3d437e9a523
  • f5f79e2169db3bbe7b7ae3ff4a0f40659d11051e69ee784f5469659a708e829e

Jason Davies

UK based technology professional, with an interest in computer security and telecoms.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: