Experts from Unit 42 of Palo Alto Networks have discovered a new malware called PyMICROPSIA for stealing Windows information, associated with the AridViper group, which can presumably be used to infect computers running Linux and macOS.
The Trojan, dubbed PyMICROPSIA, was discovered while investigating the activities of the Arabic-speaking cyber-espionage group AridViper (also known as Desert Falcon and APT-C-23), which has been carrying out attacks on Middle Eastern targets since at least 2011.
“Unit 42 researchers have been tracking the threat group AridViper, which has been targeting the Middle Eastern region. As part of this research, a new information-stealing Trojan with relations to the MICROPSIA malware family has been identified, showing that the actor maintains a very active development profile, creating new implants that seek to bypass the defenses of their targets”, — told Palo Alto Networks researchers.
PyMICROPSIA is a Python-based malware specially designed to attack Windows systems using a binary file created with PyInstaller.
“PyMICROPSIA is usable only for Windows devices, but its code contains interesting snippets (“posix “or” darwin “”) that test other operating systems”, — the experts said.
Experts also believe that these checks could have been introduced by malware developers when copying code from other “projects” and may well be removed in future versions of the PyMICROPSIA Trojan.
Unit 42 discovered a huge number of features when analysing malware samples and payloads downloaded from C&C servers.
The complete list of malware capabilities includes downloading files, downloading and executing payloads, stealing browser credentials, clearing browsing history and profiles, taking screenshots, keylogging, collecting information about processes and shutting them down, collecting information about file listing, deleting files, rebooting the system, collecting information from USB-drives, recording audio, executing commands, etc.
The Trojan’s keylogging capability is implemented using the GetAsyncKeyState API, a part of a separate payload that the malware downloads from the C&C server.
The downloaded payload is also used to ensure persistence by placing a .LNK shortcut in the Windows Startup folder of the compromised computer.
However, PyMICROPSIA will also use other save methods, including setting dedicated to registry keys that will restart malware after a system restart.
Let me also remind you that GravityRAT malware now has versions for Android and macOS.
