New Trojan Steals Outlook Files and More!
Table of Contents
- By Dawna M. Roberts
- Published: Dec 17, 2020
- Last Updated: Mar 18, 2022
Threatpost and Palo Alto Networks reported that there is a new Trojan on the horizon that steals Outlook files as well as many other functions. Unit 42 researchers discovered the hacker group behind it, and they named it AridViper.
What is a Trojan?
Although many people may have heard of a Trojan, they may not be 100% sure what it is or how it works. According to Norton Antivirus, a Trojan is malicious code “designed to damage, disrupt, steal, or in general inflict some other harmful action on your data or network.”
The scary part is it acts like a legitimate program and may even come bundled with a legitimate piece of software that you download and install. Trojans are regularly called viruses, but the is incorrect. Viruses have the ability to replicate themselves and move from device to device or computer to computer; Trojans do not. They must be installed/executed by a human being. It is correct to call Trojans malware.
Often Trojans come to you as attachments in an email, which is why we often warn never open attachments in email. Some Trojans steal information, some spy on you, others download additional software or provide remote access so the threat actor can take control. Some Trojans are used for ransomware, to distribute DDoS attacks, or send messages on your behalf.
What is PyMICROPSIA?
The name sounds like a dangerous virus, but it is actually a malicious information-stealing Trojan built on the Python framework and used by AridViper to target Microsoft Windows machine users. The hacker group is well known for their exploits, especially in regards to Middle Eastern targets.
Threat researchers have unpacked the Trojan and examined how it works and what it does. Palo Alto Networks detailed its extensive capabilities:
- “File uploading.
- Payload downloading and execution.
- Browser credential stealing. Clearing browsing history and profiles.
- Taking screenshots.
- Keylogging.
- Compressing RAR files for stolen information.
- Collecting process information and killing processes.
- Collecting file listing information.
- Deleting files.
- Rebooting machine.
- Collecting Outlook .ost file. Killing and disabling Outlook process.
- Deleting, creating, compressing, and exfiltrating files and folders.
- Collecting information from USB drives, including file exfiltration.
- Audio recording.
- Executing commands.”
They went onto explain some further details “It implements its main functionality by running a loop, where it initializes different threads and calls several tasks periodically with the intent of collecting information and interacting with the C2 operator.”
Alarmingly, the malware uses two Python libraries: PyAudio to steal audio snippets, and mss, for stealing screenshots. Other libraries assist the software in interacting with the Windows registry and networking files.
Because some of the code is incomplete, Palo Alto theorizes that AridViper is working on new targets and devising tactics and code to exploit additional areas.
One of the most disturbing aspects of the software is that it openly exploits OST files (Outlook Data File), where your email, calendar, tasks, and contacts are stored.
Palo Alto Networks said that the malware “implements its main functionality by running a loop, where it initializes different threads and calls several tasks periodically with the intent of collecting information and interacting with the C2 operator.”
Some code snippets reference famous character names such as Rapunzel, Mulan, Eeyore, Pocahontas, and more.
Code Overlap
Something the researchers found interesting is that “One of the first things that caught our attention regarding this sample was the C2 implementation and capabilities, which are quite similar to known MICROPSIA samples. One of the tactics, techniques, and procedures (TTPs) observed across MICROPSIA samples is the use of rar.exe to compress data for exfiltration. In this version, rar.exe is downloaded from the C2 infrastructure and used with very similar parameters as observed in previous samples.”
These particular threat actors focus on themes using references from shows like The Big Bang Theory and Game of Thrones. In this newest strain, the names FranDrescher and KeanuReeves show up. The code also references Disney characters and shows Arabic symbols in the comments.
Palo Alto concluded their report with, “AridViper is an active threat group that continues developing new tools as part of their arsenal. PyMICROPSIA shows multiple overlaps with other existing AridViper tools such as MICROPSIA. Also, based on different aspects of PyMICROPSIA that we analyzed, several sections of the malware are still not used, indicating that it is likely a malware family under active development by this actor.”
How to Protect Yourself Against This Latest Threat
As always, never click a link or download an attachment in an email. Some other tips are:
- Keep robust antivirus/anti-malware software running on all devices.
- Never download software from untrusted sources.
- Use strong passwords and do not share them.
- Install a VPN to keep your browsing safe.
Use common sense with email and logging onto digital resources, especially your bank and credit card accounts.
