A new Python RAT (Remote Access Trojan) was just uncovered by security researchers. Called PyXie, the Trojan has been observed in the wild since 2018, or maybe even earlier, but hasn’t been analyzed deeply until now.
Pyxie RAT: Technical Overview
According to BlackBerry Cylance researchers, PyXie is being used in attacks against several industries. The analysis shows that the malware has been deployed in conjunction with Cobalt Strike and a downloader similar to Shifu.
The research team was able to perform multiple incident response engagements in which the RAT was identified on infected hosts. Thanks to this information, the researchers outlined the malware’s “key highlights” seen in campaigns:
- Legitimate LogMeIn and Google binaries used to sideload payloads.
- A Trojanized Tetris app to load and execute Cobalt Strike stagers from internal network shares.
- Use of a downloader with similarities to Shifu named “Cobalt Mode”.
- Use of Sharphound to collect active directory information from victims.
- A custom compiled Python interpreter that uses scrambled opcodes to hinder analysis.
- Use of a modified RC4 algorithm to encrypt payloads with a unique key per infected host.
PyXie RAT: Distribution
The RAT is distributed with the help of a sideloading technique utilizing legitimate applications. An example of such an app is a trojanized version of an open-source Tetris game. If the potential victim downloads the game, they will also download the malicious payload without knowing. The malware uses PowerShell to escalate privileges and achieve persistence on the infected host.
As already mentioned, PyXie uses Cobalt Mode to connect to a command and control server to download the final payload of the operation.
As explained in the report, the main purpose of Cobalt Mode includes several phases such as connecting to the command and control server, downloding an encrypted payload and decrypting it, mapping and executing the payload in the address space of the current process, and spawning a new process for the code injection.
It is noteworthy that the Cobalt Mode can conduct a series of environmental checks to determine if it is being run from a sandbox or virtual machine (VM). It can also determine whether a smart card reader is attached, and whether requests are being intercepted with a man-in-the-middle (MitM) attack.
As for the final stage payload, it is “a full-featured Python RAT compiled into an executable”. The authors of the malicious code compiled their own Python interpreter instead of using Py2Exe or PyInstaller to create the executable.
Finally, the capabilities of PyXie RAT include man-in-the-middle interception, web injections, keylogging functionalities, credential harvesting, network scanning, cookie theft, clearing logs, recording video, running arbitrary payloads, monitoring USB drives and exfiltrating data, WebDav server and Socks5 proxy, VNC connection, certificate theft, checking software, and enumerating the domain with Sharphound.
PyXie RAT Also Used in Ransomware Campaigns
The researchers have also seen evidence of PyXie being used in several ransomware attacks. In this case, the loader is a trojanized open source Tetris Game, which loads an encrypted shellcode payload known as settings.dat from an internal network share.