A new information stealing Trojan named PyMICROPSIA is being distributed. This Trojan was similar to the MICROPSIA malware family but is written in Python, thus the “Py” prefix. Researchers believe that this Trojan is being deployed by the threat group AridViper (aka Desert Falcon, Arid Viper, APT-C-23), a group known to target the Middle Eastern region. Besides hosting PyMICROPSIA on the attacker’s infrastructure, two additional samples were found that provided persistence and keylogging capabilities to PyMICROPSIA. Some of PyMICROPSIA’s capabilities include file uploading, downloading and executing additional payloads, browser credential theft, keylogging, collecting process and file listing information, process termination, audio recording, as well as others. PyInstaller was used on PyMICROPSIA to convert the Python-based code into a Windows executable, however they may be branching out to other operating systems, other than Windows, based on checks in the codes for “posix” or “darwin”.
PyMICROPSIA has a rich set of information-stealing and control capabilities, including: