Latest Malware May Soon Attack Linux, Mac Operating System
According to the report, recently discovered windows info-stealing malware linked to an active grouped tracked as AridViper, it explained that it might be used to infect the Linux and Mac operating System.
The original Trojan named PyMICROPSIA by Unit 42 was exposed while investigating AridViper activity that also tracked as Desert Falcon and APT-C-23. An organization of Arabic Speaking Cyberspies focusing their attacks on Middle Eastern targets since at least 2011.
AridViper operates mainly out of Palestine, Egypt and Turkey and the most of victims they compromised exceeded 3000 in 2015 [PDF]; according to the Global Research and Analysis Team.
New Attack Vectors Initiate within the Code:
- PyMICROPSIA is a python-based malware that specifically targets windows based Operating System. Cyber criminal use binary generated pyInstaller. Unit 42 has also discovered code snippets that its inventor are potentially working on adding multi-platform support.
- It is mainly designed to target Windows operating system but the code contains interesting snippets checking for other operating system such as ‘posix’ or ‘drawin’ as unit 42.
- It might have been introduces by the malware’s developers while copy –pasting code from other projects and could very well be removed in future version of the PyMICROPSIA
Data Theft and Delivery of additional payloads:
- Unit 42 has unearthed a long list of feature while analysing malware found on compromised System and payload or download from attackers command and control (C2) server while it comes to PyMICROPSIA Trojan.
- The list of information-stealing and control capabilities includes data theft, device control and additional payload distribution features.
- PyMICROPSIA makes use of python libraries for a wide range of purposes, ranging from information and file theft to windows process, file system and registry interaction.
- The Trojan’s keylogging capability implemented using the GetAsynckey state API that is a part of a single Payload it downloads from the C2 server.
- A downloaded payload is also used for gaining persistence by reducing a .LNK shortcut in the compromised System Windows Startup folder.