Python-based malware family targets Microsoft users to steal Outlook processes and browser credentials.
The good people at Palo Alto Networks have identified a new cybersecurity threat. Their Unit 42 researchers have been tracking the threat group AridViper, which has been targeting the Middle Eastern region.
As part of this research, Unit 42 has identified a new information-stealing Trojan with relations to the MICROPSIA malware family. This shows that the AridViper malefactors maintain a very active development profile. They are constantly creating new implants that seek to bypass the defenses of their targets, according to Unit 42.
The researchers have named this newest malware family PyMICROPSIA because it is built with Python. They announced the new threat in a blog post this week.
PyMICROPSIA is a full-featured Trojan threat
PyMICROPSIA has a rich set of information-stealing and control capabilities, according to Unit 42. These include file uploading, payload downloading and execution.
In the browser, it steals credentials and clears browsing history and profiles. It can also take screenshots, do keylogging and compress RAR files for stolen information.
The Trojan can collect process information and kill processes. It can collect file listing information, as well as delete files. It can even reboot your machine.
In Outlook, PyMICROPSIA can collect the Outlook .ost file as well as kill and disable the Outlook process.
In addition to the Microsoft-specific attacks, the malware also creates general mayhem, such as deleting, creating, compressing and exfiltrating files and folders. It will also collect information from USB drives, including file exfiltration.
Scariest of all, PyMICROPSIA can run audio recording as well as execute commands.
Using Python to infiltrate and attack
AridViper built the malware with Python and made it into a Windows executable using PyInstaller. The Trojan implements its main functionality by running a loop. It initializes different threads and calls several tasks periodically.
PyMICROPSIA uses Python libraries to achieve its purposes, including built-in Python libraries and specific packages, like PyAudio to steal audio and mss to take screenshots.
Researchers also found the malware has a “Keanu Reeves” module and another called “Fran Drescher.” It also contains numerous references to Disney movies and TV series, such as The Big Bang Theory and Game of Thrones, in its code.