MPOWER 2020 Logo

is going Digital on Oct 29, Nov 5 & Nov 12.

Learn More

Threat Landscape Dashboard

Assessing today's threats and the relationships between them

Evilnum Unleashes Pyvil RAT

The Evilnum APT has added the RAT to its arsenal as part of a big change-up in its TTPs. The Evilnum group, which specializes in targeting financial technology companies, has debuted a new tool: A Python-based remote access trojan (RAT), dubbed PyVil. The malware’s emergence dovetails with a change in the chain of infection and an expansion of infrastructure for the APT. PyVil RAT was compiled with py2exe, which is a Python extension which converts Python scripts into Microsoft Windows executables. This gives the RAT the capability to download new modules to expand functionality. PyVil RAT also has a configuration module that holds the malware’s version, command-and-control (C2) domains and instructions for which browser to use when communicating with the C2. The C2 communications are done via POST HTTP requests and are RC4 encrypted using a hardcoded key encoded with Base64, according to the analysis.
Name Modified Date Sources
Evilnum Unleashes Pyvil RAT 2020-09-16