• Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – Dark Caracal Targets Multiple Sectors with Bandook Malware
December 15, 2020
Rewterz Threat Alert – Bitter APT Targets Organizations in South Asia
December 15, 2020

Rewterz Threat Alert – APT-C-23 Distributes Information Stealer PyMICROPSIA

December 15, 2020

Severity

High

Analysis Summary

A new information stealing Trojan named PyMICROPSIA is being distributed. This Trojan was similar to the MICROPSIA malware family but is written in Python, thus the “Py” prefix. Researchers believe that this Trojan is being deployed by the threat group AridViper (aka Desert Falcon, Arid Viper, APT-C-23), a group known to target the Middle Eastern region. Besides hosting PyMICROPSIA on the attacker’s infrastructure, two additional samples were found that provided persistence and keylogging capabilities to PyMICROPSIA. Some of PyMICROPSIA’s capabilities include file uploading, downloading and executing additional payloads, browser credential theft, keylogging, collecting process and file listing information, process termination, audio recording, as well as others. PyInstaller was used on PyMICROPSIA to convert the Python-based code into a Windows executable, however they may be branching out to other operating systems, other than Windows, based on checks in the codes for “posix” or “darwin”.

PyMICROPSIA has a rich set of information-stealing and control capabilities, including:

  • File uploading.
  • Payload downloading and execution.
  • Browser credential stealing. Clearing browsing history and profiles.
  • Taking screenshots.
  • Keylogging.
  • Compressing RAR files for stolen information.
  • Collecting process information and killing processes.
  • Collecting file listing information.
  • Deleting files.
  • Rebooting machine.
  • Collecting Outlook .ost file. Killing and disabling Outlook process.
  • Deleting, creating, compressing and exfiltrating files and folders.
  • Collecting information from USB drives, including file exfiltration.
  • Audio recording.
  • Executing commands.
Main features of PyMICROPSIA include file uploading, payload drop and execution, browser credential stealing, screenshots, keylogging, collect local machine information, manage and exfiltrate files, collect Outlook information, audio recording and command execution.

Impact

  • Unauthorized Code Execution
  • Credential Theft
  • Information theft
  • Process Termination
  • Data Manipulation

Indicators of Compromise

Domain Name

  • judystevenson[.]info
  • escanor[.]live
  • tatsumifoughtogre[.]club
  • robert-keegan[.]life
  • chad-jessie[.]info
  • krasil-anthony[.]icu
  • nicoledotson[.]icu
  • jaime-martinez[.]info
  • benyallen[.]club
  • baldwin-gonzalez[.]live

MD5

  • 94a5e595be051b9250e678de1ff927ac
  • ae0b53e6b378bf74e1dd2973d604be55
  • cf24ddd2bfd6ea9b362722baff36cc21
  • 9d76d59de0ee91add92c938e3335f27f
  • f49d5cd5ce822d0bdf935823792da8ee
  • c7d7ee62e093c84b51d595f4dc56eab1
  • 533b1aea016aacf4afacfe9a8510b168
  • 6e2d058c3508694a392194dbb6e9fe44
  • ca1d9908f32ee5c0bdd9b4efec79108f
  • bbf630ca23976ddf8a561ccdb477c73d
  • 315c2dbe40bc2dc62cd58872744d1f0c

SHA-256

  • e869c7f981256ddb7aa1c187a081c46fed541722fa5668a7d90ff8d6b81c1db6
  • 3da95f33b6feb5dcc86d15e2a31e211e031efa2e96792ce9c459b6b769ffd6a4
  • d28ab0b04dc32f1924f1e50a5cf864325c901e11828200629687cca8ce6b2d5a
  • db1c2482063299ba5b1d5001a4e69e59f6cc91b64d24135c296ec194b2cab57a
  • b0562b41552a2fa744390a5f79a843940dade57fcf90cd23187d9c757dc32c37
  • eab20d4c0eeff48e7e1b6b59d79cd169cac277aeb5f91f462f838fcd6835e0ac
  • 42fa99e574b8ac5eddf084a37ef891ee4d16742ace9037cda3cdf037678e7512
  • 2115d02ead5e497ce5a52ab9b17f0e007a671b3cd95aa55554af17d9a30de37c
  • a60cadbf6f5ef8a2cbb699b6d7f072245c8b697bbad5c8639bca9bb55f57ae65
  • b61fa79c6e8bfcb96f6e2ed4057f5a835a299e9e13e4c6893c3c3309e31cad44
  • 078212fc6d69641e96ed04352fba4d028fd5eadc87c7a4169bfbcfc52b8ef8f2
  • 83e0db0fa3feaf911a18c1e2076cc40ba17a185e61623a9759991deeca551d8b
  • 0d65b9671e51baf64e1389649c94f2a9c33547bfe1f5411e12c16ae2f2f463dd
  • eda6d901c7d94cbd1c827dfa7c518685b611de85f4708a6701fcbf1a3f101768
  • 381b1efca980dd744cb8d36ad44783a35d01a321593a4f39a0cdae9c7eeac52f
  • 5b8b71d1140beaae4736eb58adc64930613ebeab997506fbb09aabff68242e17
  • 26253e9027f798bafc4a70bef1b5062f096a72b0d7af3065b0f4a9b3be937c99
  • 4eced949a2da569ee9c4e536283dabad49e2f41371b6e8d40b80a79ec1b0e986
  • 82ad34384fd3b37f85e735a849b033326d8ce907155f5ff2d24318b1616b2950
  • 3c8979740d2f634ff2c0c0ab7adb78fe69d6d42307118d0bb934f03974deddac
  • 3884ac554dcd58c871a4e55900f8847c9e308a79c321ae46ced58daa00d82ab4
  • ddaeffb12a944a5f4d47b28affe97c1bc3a613dab32e5b5b426ef249cfc29273
  • 46dae9b27f100703acf5b9fda2d1b063cca2af0d4abeeccc6cd45d12be919531
  • 47d53f4ab24632bf4ca34e9a10e11b4b6c48a242cbcfcb1579d67523463e59d2

SHA1

  • addbe1ef3cfd003a619c34d5be76cd628e172812
  • 891e252012f20a6df46e3bb031448e97ad954b70
  • 73bea795f6bd2d14887c966bdf281a5e6d7365d1
  • 815ede3108a25cae967487b53a51308f0542f8a8
  • 3dba4c3a2a5e0948fb4c68d3e97870ba8dbc0f0f
  • 0b56ea9803900e83e0f3d3a77d9467ba1621c0e4
  • d6b246959385362894ab96c724ea80add019869b
  • 062f72e9ec84b1ceeceec58e9e8fb63b4d507ee9
  • 323efb84b5f57db00b9bb3519117a6fa0f40ef5a
  • 8000766286b4030ffe6d52d6b380a367bf8d5120
  • abe9f7e0f270b4629ccf6e5a99983adb313109e5

URL

  • https[:]//jaime-martinez[.]info/sujqbrgpb/bztjpskd/rxkwjt

Remediation

  • Block the threat indicators at their respective controls.
  • Do not download files from untrusted emails and other untrusted sources.
  • Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.