New AridViper Malware Targets Outlook Users

What do we know?

• The newly developed Python-based malware—called PyMicropsia—has several information-stealing and control capabilities such as keylogging, downloading and executing payloads, stealing browser credentials, clearing browsing history and profiles, rebooting machines, collecting Outlook processes, and many more.
• The trojan contains both built-in Python libraries and specific packages including PyAudio and mss for multiple purposes including information-stealing, interacting with Windows processes, networking, file system, Windows registry, and so on.
• The malware is likely under active development as several of its code sections were found unused, indicating that it is.

Insights from the code

• Its code variables contained references to multiple famous Hollywood actor names, including  Fran Drescher and Keanu Reeves.
• Its code snippets also check for other operating systems such as Posix or Darwin.
• Besides code overlap, PyMicropsia and Micropsia share similar C2 communication URI path structures, and similar TTPs, as per the report.

AridViper’s recent activity

• In September, AridViper hacking group was found using an Android spyware variant called Android/SpyC32.A to snoop on WhatsApp and Telegram users.
• In September, the Cybereason Nocturnus team noted that the Evilnum group was using Python-scripted Remote Access Trojan (RAT), dubbed PyVil RAT to target different companies across the UK and EU.

The bottom line