Researchers have sounded a warning bell at BlackBerry Cylance about a new trojan malware called PyXie RAT. The malware can perform all sorts of nefarious deeds, including keylogging, stealing login credentials, and recording videos. PyXie RAT can also distribute other attacks, including ransomware.
The newly discovered PyXie RAT campaign is being run by a sophisticated cyber-criminal operation that is targeting healthcare and education organizations. The malware is custom-built and Python-based. When a machine is infected with the software, it can control most Windows systems and allows the hacker to monitor data and steal sensitive data.
Other functions that the software can perform include cookie theft and man-in-the-middle attacks. One of the most worrisome capabilities is the ability to deploy different forms of malware on infected systems. PyXie RAT is also able to clear any evidence of its nefarious activity to prevent detection. Despite those attempts, traces of the attacks have been left behind and were discovered by Blackberry Cylance researchers. It was dubbed PyXie RAT because it uses a ".pyx" file extension instead of the ".pyc" extension typically associated with Python.
PyXie RAT has been active since at least 2018 and is highly customized, indicating lots of time and resources were applied to its development. The malware is typically delivered to victims using a sideloading technique that leverages legitimate apps to help compromise the target PC. One way that machines were infected that researchers discovered was a trojanized version of an open-source game.
When the game was installed, the PyXie RAT malware was also installed using PowerShell to escalate privileges and gain persistence on the machine. A third stage sees the malware leverage something called "Cobalt Mode" that connects to a command and control server to download the final payload. That mode also takes advantage of Cobal Strike, which is a legitimate penetration testing tool to help install the malware. PyXie RAT is said to be similar to the Shifu banking trojan, leaving it unclear if the same group operates them. In other trojan news, back in March, a Windows 10 trojan was targeting IoT core machines.