Security researchers discovered one new trojan stealing information, which aims Windows systems. The trojan has the ability to steal browser credentials and target Outlook processes. According to researchers, the Windows is called a trojan PyMicropsia and has been developed by the hacking team AridViper, which is usually targeted organizations in the Middle East.
""AridViper is an active team that continues to develop new tools." reported researchers of the research team Unit42 by Palo Alto into a exhibition their. "Also, based on the different parts of PyMicropsia we analyzed, many malware components are not yet in use, which indicates that they are probably a family. malware under development".
Trojan information theft features include: upload files, download / execute payload, theft browser credentials (and ability to clear browsing history and profiles), download screenshots and keylogging. Additionally, malware can collect file information, delete archives, restart Windows machines, collect information from the USB drive, make recordings, collect Outlook .OST files, and disable Outlook processes.
An OST file is an offline folder file in Microsoft products Outlook, which allows users to work offline by synchronizing changes with the Exchange server the next time they log in. OST files may contain emails, contacts, tasks, calendar data, and other account information.
The new Windows Trojan PyMicropsia
According to researchers, after downloading, the trojan begins to collect data.
Attackers use both built-in Python libraries as well as specific packages for information theft: e.g. PyAudio (sound theft activation) and mss (allows screenshots to be taken)
"Python built-in libraries are used for many reasons, such as interacting with processes in Windows, Windows registry, networking, file system and so on.", The researchers said.
PyMicropsia is associated with Micropsia, Another malware of the AridViper team, which also targets Windows systems. The researchers noticed that common code elements exist, as well as that similar tactics, techniques and procedures (TTP) etc. are used.
AridViper: The team is constantly developing new tools
While researching the possibilities of the young Windows trojan PyMicropsia, the researchers said they located two additional samples hosted on the intruder infrastructure.
Additional samples, which are taken and used by the trojan during its development, provide possibilities persistence and keylogging.
Also, while the PyMicropsia trojan is designed to target only Windows systems, researchers have found pieces of code that control other operating systems (such as "posix" or "darwin").
"This is an interesting finding, as we have never seen AridViper target these operating systems and this could represent a new area that hackers are beginning to explore", Said the researchers, while they added that they will continue to monitor its activities hacking group.