Researchers discovered a new Python-based RAT dubbed PyXie that has been used in campaigns targeting a wide range of industries.

Experts at BlackBerry Cylance have spotted a new Python-based remote access Trojan (RAT) that has been used in campaigns targeting a wide range of industries.

PyXie has been first observed in the wild in 2018, but it was underestimated by cybersecurity firms.

“ PyXie has been deployed in an ongoing campaign that targets a wide range of industries. It has been seen in conjunction with Cobalt Strike beacons as well as a downloader that has similarities to the Shifu banking Trojan.” reads the analysis published by Cylance. “Analysts have observed evidence of the threat actors attempting to deliver ransomware to the healthcare and education industries with PyXie.”

PyXie has been observed in conjunction with Cobalt Strike beacons and a downloader that shows some similarities with the Shifu banking Trojan.

The threat actors behind PyXie were observed attempting to deliver ransomware to the healthcare and education industries with this new RAT.

Attackers used legitimate LogMeIn and Google binaries to sideload payloads in the first stage of the attack chain, then a second stage malware gathers information on the victim machine, gain persistence

As part of the PyXie attacks, legitimate LogMeIn and Google binaries were used to sideload the first stage DLL, which then locates its encrypted payload. The second stage installs itself, fingerprints the victim machine, achieves persistence, and spawns a new process to inject the third stage payload.

The malware creates two mutexes to prevent multiple payload instances from running at the same time.

“If the process infected with the second stage payload is running with administrator privileges, the malware will attempt to escalate its own privileges.” continues the analysis. “It does so by creating and starting a temporary se rvice, thu s respawning and running as a LOCAL SYSTEM process. To remain stealthy, the malware deletes the temporary service from the Service Control Manager.”

The third stage payload is a downloader dubbed Cobalt Mode, share similarities to the Shifu banking Trojan. Upon execution, it connects to a command and control (C&C) server, fetches an encrypted payload and decrypts it, maps and executes the payload in the address space of the current process, and then spawns a new process for code injection.

Cobalt Mode also checks whether it runs in a sandbox or virtualized environment. It also checks if a smart card reader is attached to the infected machine, and if a man-in-the-middle (MitM) attack is performed to intercept requests.

The last stage of the attack chain it the PyXie RAT that supports the following features:

MITM interception;

Web-injects;

Keylogging ;

; Credential harvesting;

Network scanning;

Cookie theft;

Log clearing;

Video recording;

Payload execution;

USB drive monitoring and data exfiltration;

Certificate theft;

Software inventorying.

PyXie RAT functionality also includes a WebDav server, Socks5 proxy, and Virtual Network Connection (VNC), along with the ability to enumerate domains using Sharphound .

The communication with C2 is implemented via HTTP/HTTPS, a backup mechanism uses comments left in GitHub Gists.

The malware is able to download and execute files, update itself, retrieve specific data, perform scans, retrieve screenshots, reboot the system, clear cookies, and uninstall itself from the infected system.

Experts observed the RAT being deployed in conjunction with Cobalt Strike and using as a loader a Trojanized open source Tetris game.

Technical details about the malware, including the Indicators of Compromise (IOCs) are available in the report published by Cylance .

Pierluigi Paganini

(SecurityAffairs – PyXie RAT, malware)