Tetris game app used to distribute PyXie Python RAT

A new remote access trojan whose
name reminds one of a fairytale and not the potential nightmare it could bring
to its victim has been disclosed by Cylance.

PyXie Python RAT has been
flitting about since 2018 helping deliver ransomware and other malware to the
healthcare and education industries. The RAT has been tracked being delivered
through malicious TETRIS apps to load and execute the pen testing tool Cobalt
Strike and a custom shellcode loader.

“The loader is a Trojanized
open source Tetris game. It has been modified to load an encrypted shellcode
payload named ‘settings.dat’ from an internal network share and inject it into
a new process,” Cylance said.

And once installed can
conduct a laundry list of malicious activity ranging from man-in-the-middle
attacks to keylogging to running arbitrary payloads, Cylance reported.

Typically a campaign using PyXie
uses legitimate LogMeIn and Google binaries to sideload payloads, uses a
downloader similar to one used by Shifu and Cobalt Mode, A custom compiled
Python interpreter that uses scrambled opcodes to hinder analysis and a
modified RC4 algorithm to encrypt payloads with a unique key per infected host.

An attack has three distinct
stages. The first is the loader using the LogMeIn or Google binary; second is
installation and persistence that fingerprints the targeted machine by
generating a hardware ID hash along with a process to download the third stage.

At this point two mutexes are
created to stop two iterations of the malware from running on the same device
and if the process infected by the loader has admin privileges PyXie will
attempt to use that functionality to escalate its own privileges.

The third stage features the
Cobalt Mode downloader that can connecting to a command and control (C&C)
server, downloading a full-featured and encrypted Python RAT compiled into an
executable, decrypting the payload, mapping and executing the payload in the
address space of the current process and finally spawning a new process for
code injection.

The malware is now ready to
begin operating.

The post Tetris game app used to distribute PyXie Python RAT appeared first on SC Media.

Original Source