PyVILRAT Remote Access Trojan
PyVil (also known as PyVILRAT) is a newly observed modular and fileless remote access trojan (RAT) created by the Evilnum advanced persistent threat group for their own use.
Written in Python, it is intended primarily for use against financial technology organisations and has been observed in campaigns across the UK and EU.
Once installed it will connect to a command and control server using HTTP POST requests, with all communications encrypted using RC4. It will then send user and system information before awaiting further commands.
Once connected it can do the following :-
- record screenshots and keystrokes
- download and execute secondary payloads or Python scripts
- open SSH shells
- execute command-line arguments.
Indicators of Compromise
IP addresses
- 176.107.188[.]175
- 185.236.230[.]25
- 193.56.28[.]201
- 5.206.227[.]81
Domains
- corpxtech[.]com
- crm-domain[.]net
- extrasectr[.]com
- fxmt4x[.]com
- leads-management[.]net
- quotingtrx[.]com
- telecomwl[.]com
- telefx[.]net
- trquotesys[.]com
- veritechx[.]com
- voipasst[.]com
- voipreq12[.]com
- voipssupport[.]com
- vvxtech[.]net
- xlmfx[.]com
SHA256 hashes
- 048388c04738763c0ec57124e3a88fc82a545639636fb5ed6cd397881dd6ced9
- 062ed9f40ca330f0fed63cbdd401521deb23f93b5527038fc88f70ed9acadf39
- 0b95c8c70d2dad47baef15d0299cd7e273e8a59ae0420921632b21789a80aef0
- 0c920e7dfdd0028d9d15344c2e9c64ae57c2c9417dc7b22b865fdfe0cc0b8b1f
- 0d7dc074be83f1096f39ba95bfc4e1a17c411dbed0e5eeeb48e88a12d79b541c
- 11d9a87b144c0eaf71e8dea1b08117d464ed7f24a6e716e935e0c7f3a7e03edc
- 130e0536cdb4e9f7cfb273dbabc9ee196a51d1217cd4b981847af6314f46b052
- 1a3f39dc604dbca691aefeaf1d5a372fbca3650003d4145671525a2960e1239e
- 1aa9ecb83acbebc64b23f7192e763cf4bd278f10df2223512087b87230e411b4
- 25c119a7ee5b53212b5992992907a7772610b491ce2992c860dc206d0f3f844d
- 3b7cd07e87902deae4b482e987dea9e25a93a55ec783884e8b466dc55c346bce
- 3f3738e4606ea85a382319269405ee72a928a8a761273914c52342b116cbddfc
- 4574239efb728913fd379cc914039b1d7fa8c3ac8d6e3503d6f5bc73de504c96
- 4ce0954ca7173bd696afe8f44bf48027b3d4d630c0cce414b95d6715e662b5fb
- 4e396586fd6dfcc24686aae73ba5c336939ee7a7aa9ffb76a1f78867926c6e4b
- 568ec03a27740f8babc3513948a44ce1a2944d05f3d454ce345e67a0634a4a73
- 5aa1109d057e830d6f3faf4b6ff6f69075d158dadb5f46794b3e07685922d09d
- 6136309a207b89ccd423f8c087a9cdd633d8f5e78b8ebd576b7750b49274c532
- 63a4b6ef72e0a3a0886364a5ebcc0009c6da8c27d93cf9d6c8107b6f025fed34
- 79b032dbb8ade21b97be5dcaa63c974b6cdbb3c6f32b4abf2872288ae43ea4a6
- 79e21ff9142821b2e3d6e3dc8d812e86da231dbbd1217415b4add748a4c1ce3c
- 79e21ff9142821b2e3d6e3dc8d812e86da231dbbd1217415b4add748a4c1ce3c
- 83c375dcdadb8467955f5e124cf4e8d6eac78c51c03fb7393dc810a243ba1a90
- 8dfb2f5c74f38ffb39bfc17bf6a62d5822c458215619c1b2ec2eb345f21d1265
- 9dfb040dab1fd05fbccf69ff3461295815edc463a61a6304af18a72f82bce534
- a787ecc380021b3b7115c97242ba06706a0a1e41efe1b734552d74384bae22ec
- a81f152a31c03b45dbcf29439050bbe080b1f6308b032aebc0205886d1f41e5d
- bdc20527d5afc4f13fa45c9182c8f58eb88cb4edc76aa38be83d95fd3365ce0a
- c4b90fdec0848ad68abe18a42889ec0e5e45b7678afbf0353fedf53915b76275
- c7cf5c62ecfade27338acb2cc91a06c2615dbb97711f2558a9379ee8a5306720
- cff5ed4de201256678c7c068c1dbda5c47f4b322b618981693b1fd07a0ea7e68
- d6343a07357e5443d6a59f10e16a06796c46bec3cbe5968ac04b0f082d6fcecf
- db5d09edc2e9676a41f26f5f4310df9d13abdae8011b1d37af7139008362d5f1
- e678ec3dbccfbd5cf0f303d2841e726ac7628044de5297bf9ebe791d66270a2f
- f388a2ebbb6a7e577e8aa6205e87d5b2975e7c08464123cc36e8e3d437e9a523
- f5f79e2169db3bbe7b7ae3ff4a0f40659d11051e69ee784f5469659a708e829e
I am one of the editors here at www.systemtek.co.uk I am a UK based technology professional, with an interest in computer security and telecoms.