New PyMICROPSIA malware for Windows can also be used for attacks on Linux and macOS

Experts from Unit 42 of Palo Alto Networks have discovered a new malware called PyMICROPSIA for stealing Windows information, associated with the AridViper group, which can presumably be used to infect computers running Linux and macOS.

The Trojan, dubbed PyMICROPSIA, was discovered while investigating the activities of the Arabic-speaking cyber-espionage group AridViper (also known as Desert Falcon and APT-C-23), which has been carrying out attacks on Middle Eastern targets since at least 2011.

“Unit 42 researchers have been tracking the threat group AridViper, which has been targeting the Middle Eastern region. As part of this research, a new information-stealing Trojan with relations to the MICROPSIA malware family has been identified, showing that the actor maintains a very active development profile, creating new implants that seek to bypass the defenses of their targets”, — told Palo Alto Networks researchers.

PyMICROPSIA is a Python-based malware specially designed to attack Windows systems using a binary file created with PyInstaller.

“PyMICROPSIA is usable only for Windows devices, but its code contains interesting snippets (“posix “or” darwin “”) that test other operating systems”, — the experts said.

Experts also believe that these checks could have been introduced by malware developers when copying code from other “projects” and may well be removed in future versions of the PyMICROPSIA Trojan.

Unit 42 discovered a huge number of features when analysing malware samples and payloads downloaded from C&C servers.

The complete list of malware capabilities includes downloading files, downloading and executing payloads, stealing browser credentials, clearing browsing history and profiles, taking screenshots, keylogging, collecting information about processes and shutting them down, collecting information about file listing, deleting files, rebooting the system, collecting information from USB-drives, recording audio, executing commands, etc.

New PyMICROPSIA malware

The Trojan’s keylogging capability is implemented using the GetAsyncKeyState API, a part of a separate payload that the malware downloads from the C&C server.

The downloaded payload is also used to ensure persistence by placing a .LNK shortcut in the Windows Startup folder of the compromised computer.

However, PyMICROPSIA will also use other save methods, including setting dedicated to registry keys that will restart malware after a system restart.

Let me also remind you that GravityRAT malware now has versions for Android and macOS.

William Reddy

I am from Ireland. My parents bought me a computer when I was 11, and several month after I have got a virus on this PC. I decided to enter the INSA Centre Val de Loire university after being graduated from the school. This French educational institution was offering a brand-new cybersecurity course. After getting the master degree in cybersecurity, I've started working in as virus analyst in a little anti-malware vendor. In 2018, I've decided to start Virus Removal project. The main target of this site is to help people to deal with PC viruses of any kind.

Leave a Reply

Your email address will not be published. Required fields are marked *


Back to top button