Another cybersecurity threat is now in the wild aiming at Windows users. Researchers have discovered PyMICROPSIA info-stealing trojan that particularly serves as a Windows malware for now. Though, it has some new targets on its list too.
PyMICROPSIA Windows Malware Overview
Researchers from Palo Alto Networks’ Unit 42 division have discovered a new inf-stealing trojan. They found this malware while tracking the AridViper threat group.
In brief, AridViper is a known threat group that caught attention in 2015 as it executed active campaigns in the Middle East.
The researchers have observed that the new Windows malware, named PyMICROPSIA, belongs to the same threat group.
However, analyzing the malware reveals it to be a new Trojan that bears additional malicious capabilities. Nonetheless, it has the same target list.
The malware is so named as it belongs to the MICROPSIA family and is written in Python. Specifically, its malicious functionalities include data stealing, file deletion, taking screenshots, audio recording, command execution, and more.
Whereas, it also drops additional payloads on the target systems that serve for keylogging and persistence. These additional payloads are not written in Python.
Regarding the C&C, the researchers observed a simply HTTP POST-based protocol. The malware communicates with C2 over different URIs paths and variables based on the function in action.
Also, some code branches appeared non-functional which shows that the malware is still under development.
More Targets Besides Windows In Plan
For now, PyMICROPSIA seems to specifically aim at Windows systems.
However, the researchers noticed some code snippets within the malware that check for “posix” and “Darwin”. According to the researchers,
PyMICROPSIA is designed to target Windows operating systems only, but the code contains interesting snippets checking for other operating systems, such as “posix” or “darwin”. This is an interesting finding, as we have not witnessed AridViper targeting these operating systems before and this could represent a new area the actor is starting to explore.
Technical details about this Windows malware are available in the researchers’ recent post here.