Type |
RAT |
Sector |
FinTech |
- Keylogging
- Taking screenshots
- Gathering information from infected systems
Impact
- The leak of PII information can lead to identity theft.
- Confidential documents/ chats leaked to the public can cost the reputation of an individual or organization.
- Once the device is infected it can be used as a bot to perform DDoS attacks, leading to inaccessibility of services.
- The malware gives its operators access to a victim’s details, which are then used to further dupe the victims or to carry out social engineering attacks on them.
Mitigations
- Do not open suspicious or unsolicited emails, especially those received from unknown/ suspect senders.
- Block the installation of programs from unknown sources.
- Download only from relevant and trusted sources.
- Backup your data at regular intervals.
- Use a trusted scanner to detect malware.
- Disable Windows PowerShell, which is a task automation framework.
Indicators of Compromise
Domains
- voipasst[.]com
- voipreq12[.]com
- telecomwl[.]com
- crm-domain[.]net
- leads-management[.]net
- fxmt4x[.]com
- xlmfx[.]com
- telefx[.]net
- voipssupport[.]com
- trquotesys[.]com
- extrasectr[.]com
- veritechx[.]com
- quotingtrx[.]com
- vvxtech[.]net
- corpxtech[.]com
IP addresses
- 193[.]56[.]28[.]201
- 185[.]236[.]]230[.]25
- 5[.]206[.]227[.]81
- 176[.]107[.]188[.]175
LNK
- db5d09edc2e9676a41f26f5f4310df9d13abdae8011b1d37af7139008362d5f1
- 3b7cd07e87902deae4b482e987dea9e25a93a55ec783884e8b466dc55c346bce
- c7cf5c62ecfade27338acb2cc91a06c2615dbb97711f2558a9379ee8a5306720
- f5f79e2169db3bbe7b7ae3ff4a0f40659d11051e69ee784f5469659a708e829e
- cff5ed4de201256678c7c068c1dbda5c47f4b322b618981693b1fd07a0ea7e68
- 83c375dcdadb8467955f5e124cf4e8d6eac78c51c03fb7393dc810a243ba1a90
Dropped PDF
- 048388c04738763c0ec57124e3a88fc82a545639636fb5ed6cd397881dd6ced9
- 11d9a87b144c0eaf71e8dea1b08117d464ed7f24a6e716e935e0c7f3a7e03edc
- 0b95c8c70d2dad47baef15d0299cd7e273e8a59ae0420921632b21789a80aef0
PyVil py2exe executable
- f388a2ebbb6a7e577e8aa6205e87d5b2975e7c08464123cc36e8e3d437e9a523
- 130e0536cdb4e9f7cfb273dbabc9ee196a51d1217cd4b981847af6314f46b052
- d6343a07357e5443d6a59f10e16a06796c46bec3cbe5968ac04b0f082d6fcecf
PyVil first obfuscation layer
- 568ec03a27740f8babc3513948a44ce1a2944d05f3d454ce345e67a0634a4a73
PyVil second obfuscation layer
- 63a4b6ef72e0a3a0886364a5ebcc0009c6da8c27d93cf9d6c8107b6f025fed34
PyVil python libraries
- 1aa9ecb83acbebc64b23f7192e763cf4bd278f10df2223512087b87230e411b4
- 9dfb040dab1fd05fbccf69ff3461295815edc463a61a6304af18a72f82bce534
- 8dfb2f5c74f38ffb39bfc17bf6a62d5822c458215619c1b2ec2eb345f21d1265
- 3f3738e4606ea85a382319269405ee72a928a8a761273914c52342b116cbddfc
- a787ecc380021b3b7115c97242ba06706a0a1e41efe1b734552d74384bae22ec
- 062ed9f40ca330f0fed63cbdd401521deb23f93b5527038fc88f70ed9acadf39