Cybersecurity researchers always keep an eye for any vulnerabilities on smartphones and computer systems. Recently a new malware was found that can cause all sorts of nefarious deeds, including keylogging, stealing login credentials and recording videos. As per the experts this newly discovered hacking campaign by a 'sophisticated cyber-criminal operation' is mainly targeting healthcare and education institutions.

Newly found malware issue

Cybersecurity experts have detected a new trojan malware called PyXie RAT which can distribute other attacks, including ransomware. This threat, which is being run by a sophisticated cyber-criminal operation targeting healthcare and education organizations, is custom-built and Python-based. The malware can take control over most Windows systems and allow the cybercriminals to monitor as well as steal sensitive data.

The malicious software can also perform cookie theft and man-in-the-middle attacks. The researchers are worried about this malware mostly because of its ability to deploy different forms of malware on infected systems. It should be noted that as per the new findings on this malware, PyXie RAT can clear any evidence of its nefarious activity to prevent detection.

Detection of PyXie RAT

new android malware
Malware attack Reuters

Even though the malware was well known for its masking abilities, researchers at Blackberry Cylance, which is a software firm that develops antivirus programs and other kinds of computer software that prevent viruses and malware, found the PyXie RAT.

The name was PyXie RAT because the malware uses a ".pyx" file extension instead of the ".pyc" extension typically associated with Python. It is active since 2018 and lots of resources, as well as time, were applied to its development by the hackers that are delivered to victims by using a sideloading technique that leverages legitimate apps to help compromise the target computer.

It should be noted that Toirjan versions of an open-source game not only infects the computers but also after the installation, it uses PowerShell to escalate privileges and gain persistence on the machine to install PyXie RAT malware.

What is 'Cobalt Mode'

The malware leverage "Cobalt Mode" which connects to a command and control server to download the final payload. It also takes advantage of Cobal Strike, which is a legitimate penetration testing tool to help install the malware. PyXie RAT malware is claimed to be similar to the Shifu banking Trojan, but it was not revealed whether the same group operates them.

However, Josh Lemos, VP of research and intelligence at Blackberry Cylance, told ZDNet that "The custom tooling and the fact it has remained under the radar this long definitely shows a level of obfuscation and stealth in line with a sophisticated cyber-criminal operation."

He also added that the "RAT that can be leveraged for a wide range of goals and the actors will have different motives depending on the target environment. The fact it has been used in conjunction with ransomware in a few environments indicates that the actors may be financially motivated, at least in those instances."