Rewterz Threat Alert – APT-C-23 Distributes Information Stealer PyMICROPSIA

Severity

High

Analysis Summary

A new information stealing Trojan named PyMICROPSIA is being distributed. This Trojan was similar to the MICROPSIA malware family but is written in Python, thus the “Py” prefix. Researchers believe that this Trojan is being deployed by the threat group AridViper (aka Desert Falcon, Arid Viper, APT-C-23), a group known to target the Middle Eastern region. Besides hosting PyMICROPSIA on the attacker’s infrastructure, two additional samples were found that provided persistence and keylogging capabilities to PyMICROPSIA. Some of PyMICROPSIA’s capabilities include file uploading, downloading and executing additional payloads, browser credential theft, keylogging, collecting process and file listing information, process termination, audio recording, as well as others. PyInstaller was used on PyMICROPSIA to convert the Python-based code into a Windows executable, however they may be branching out to other operating systems, other than Windows, based on checks in the codes for “posix” or “darwin”.

PyMICROPSIA has a rich set of information-stealing and control capabilities, including:

• File uploading.
• Payload downloading and execution.
• Browser credential stealing. Clearing browsing history and profiles.
• Taking screenshots.
• Keylogging.
• Compressing RAR files for stolen information.
• Collecting process information and killing processes.
• Collecting file listing information.
• Deleting files.
• Rebooting machine.
• Collecting Outlook .ost file. Killing and disabling Outlook process.
• Deleting, creating, compressing and exfiltrating files and folders.
• Collecting information from USB drives, including file exfiltration.
• Audio recording.
• Executing commands.

Impact

• Unauthorized Code Execution
• Credential Theft
• Information theft
• Process Termination
• Data Manipulation

Indicators of Compromise

Domain Name

• judystevenson[.]info
• escanor[.]live
• tatsumifoughtogre[.]club
• robert-keegan[.]life
• chad-jessie[.]info
• krasil-anthony[.]icu
• nicoledotson[.]icu
• jaime-martinez[.]info
• benyallen[.]club
• baldwin-gonzalez[.]live

MD5

• 94a5e595be051b9250e678de1ff927ac
• ae0b53e6b378bf74e1dd2973d604be55
• cf24ddd2bfd6ea9b362722baff36cc21
• 9d76d59de0ee91add92c938e3335f27f
• f49d5cd5ce822d0bdf935823792da8ee
• c7d7ee62e093c84b51d595f4dc56eab1
• 533b1aea016aacf4afacfe9a8510b168
• 6e2d058c3508694a392194dbb6e9fe44
• ca1d9908f32ee5c0bdd9b4efec79108f
• bbf630ca23976ddf8a561ccdb477c73d
• 315c2dbe40bc2dc62cd58872744d1f0c

SHA-256

• e869c7f981256ddb7aa1c187a081c46fed541722fa5668a7d90ff8d6b81c1db6
• 3da95f33b6feb5dcc86d15e2a31e211e031efa2e96792ce9c459b6b769ffd6a4
• d28ab0b04dc32f1924f1e50a5cf864325c901e11828200629687cca8ce6b2d5a
• db1c2482063299ba5b1d5001a4e69e59f6cc91b64d24135c296ec194b2cab57a
• b0562b41552a2fa744390a5f79a843940dade57fcf90cd23187d9c757dc32c37
• eab20d4c0eeff48e7e1b6b59d79cd169cac277aeb5f91f462f838fcd6835e0ac
• 42fa99e574b8ac5eddf084a37ef891ee4d16742ace9037cda3cdf037678e7512
• 2115d02ead5e497ce5a52ab9b17f0e007a671b3cd95aa55554af17d9a30de37c
• a60cadbf6f5ef8a2cbb699b6d7f072245c8b697bbad5c8639bca9bb55f57ae65
• b61fa79c6e8bfcb96f6e2ed4057f5a835a299e9e13e4c6893c3c3309e31cad44
• 078212fc6d69641e96ed04352fba4d028fd5eadc87c7a4169bfbcfc52b8ef8f2
• 83e0db0fa3feaf911a18c1e2076cc40ba17a185e61623a9759991deeca551d8b
• 0d65b9671e51baf64e1389649c94f2a9c33547bfe1f5411e12c16ae2f2f463dd
• eda6d901c7d94cbd1c827dfa7c518685b611de85f4708a6701fcbf1a3f101768
• 381b1efca980dd744cb8d36ad44783a35d01a321593a4f39a0cdae9c7eeac52f
• 5b8b71d1140beaae4736eb58adc64930613ebeab997506fbb09aabff68242e17
• 26253e9027f798bafc4a70bef1b5062f096a72b0d7af3065b0f4a9b3be937c99
• 4eced949a2da569ee9c4e536283dabad49e2f41371b6e8d40b80a79ec1b0e986
• 82ad34384fd3b37f85e735a849b033326d8ce907155f5ff2d24318b1616b2950
• 3c8979740d2f634ff2c0c0ab7adb78fe69d6d42307118d0bb934f03974deddac
• 3884ac554dcd58c871a4e55900f8847c9e308a79c321ae46ced58daa00d82ab4
• ddaeffb12a944a5f4d47b28affe97c1bc3a613dab32e5b5b426ef249cfc29273
• 46dae9b27f100703acf5b9fda2d1b063cca2af0d4abeeccc6cd45d12be919531
• 47d53f4ab24632bf4ca34e9a10e11b4b6c48a242cbcfcb1579d67523463e59d2

SHA1

• addbe1ef3cfd003a619c34d5be76cd628e172812
• 891e252012f20a6df46e3bb031448e97ad954b70
• 73bea795f6bd2d14887c966bdf281a5e6d7365d1
• 815ede3108a25cae967487b53a51308f0542f8a8
• 3dba4c3a2a5e0948fb4c68d3e97870ba8dbc0f0f
• 0b56ea9803900e83e0f3d3a77d9467ba1621c0e4
• d6b246959385362894ab96c724ea80add019869b
• 062f72e9ec84b1ceeceec58e9e8fb63b4d507ee9
• 323efb84b5f57db00b9bb3519117a6fa0f40ef5a
• 8000766286b4030ffe6d52d6b380a367bf8d5120
• abe9f7e0f270b4629ccf6e5a99983adb313109e5

URL

• https[:]//jaime-martinez[.]info/sujqbrgpb/bztjpskd/rxkwjt

Remediation

• Block the threat indicators at their respective controls.
• Do not download files from untrusted emails and other untrusted sources.