PyXie Trojan Targets Healthcare, Educational Institutions, Blackberry Cylance Says
A new malware campaign uses a Trojanized version of the Tetris game.
A new malware campaign uses a Trojanized version of the game Tetris to target healthcare and educational institutions for credential stealing, according to a report from Blackberry Cylance. Analysts have observed evidence of the threat actors attempting to deliver ransomware with the ‘PyXie’ Trojan.
PyXie, which has been active since 2018, is written in Python programming language. The Trojan is highly customizable with advanced capabilities to perform attacks such as man-in-the-middle, web-injection, keylogging, credential harvesting and video harvesting, , writes Ryan Tracey, a senior threat researcher at BlackBerry Cylance, in blog post on Monday.
“BlackBerry Cylance researchers have recently discovered a previously unnamed Python RAT we’re calling PyXi,” the blog says. “Analysts have observed evidence of the threat actors attempting to deliver ransomware to the healthcare and education industries with PyXie.”
Although the researchers are unclear about the threat actors behind the Trojan and the extent of the attack, the security firm told ZDNet that the malware campaign is active.
Spread Using Trojanized Game
A hacking group used legitimate commercial software called Cobalt Strike and a Trojanized open source game, Tetris, to spread the malware, the blog notes.
Once the game has been downloaded by a victim, the Trojanized Tetris app loads and executes Cobalt Strike binaries, which then escalates the privilege and persistence in the victim’s Windows OS, according to the blog.
Before the final stage of the infection, a malware downloader called the Cobalt Mode is installed in the system and performs tasks such as communicating with the command-and-control server, downloading and decrypting the payload and spawning a new process for code injection, the researchers determined.
“Cobalt Mode malware can carry out a series of environmental checks,” the blog notes. “It can determine if it is being run from a sandbox or virtual machine, if a smart card reader is attached, and if requests are being intercepted with a man-in-the-middle attack.”
Malware Downloader Akin To Shifu
The Blackberry Cylance report notes that the Cobalt Strike downloader is similar to the Shifu banking Trojan in terms of its functions and code.
Shifu, a sophisticated banking Trojan that was first discovered by IBM’s security team – X-Force Research – in August 2015, was used by threat actors for credential stealing and bank account takeovers, Limor Kessem, executive security adviser at IBM, noted in an earlier blog.
Similar to PyXie, Shifu came with features such as keylogging, screenshot grabbing and remote access tool and bot-control modules, Kessem says in another blog post.
According to the IBM analysis, the Shifu Trojan was active in 2016 attack campaigns in Japan and the U.K. (see: Banking Trojans Expand Their Reach).
Although the malware received an upgrade in 2017, Kessem notes that its activity significantly waned.