PyXie Remote Access Trojan

PyXie is a newly observed Python-based remote access trojan that is used in highly targeted campaigns against financial, engineering, and government organisations.

Threat ID:: CC-3303
Category:: Trojan
Threat Severity:: Medium
Threat Vector:
Published:: 5 December 2019 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

PyXie is a newly observed Python-based remote access trojan that is used in highly targeted campaigns against financial, engineering, and government organisations.

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

Microsoft Windows - All versions

Threat details

The group operating PyXie use a complex attack chain leveraging legitimate applications to act as a first-stage loader. These applications will side-load an initial malicious DLL file, which will then decrypt a hard-coded secondary payload and inject it into a running process. This second stage then collects system information and escalates its own privileges, before decompressing a third stage payload (called Cobalt Mode) and injecting it into a new process. This third stage then connects to a command and control (C2) server to download an encrypted packaged containing PyXie as well as a custom Python interpreter. The package is then decrypted and PyXie is injected into a newly created process.

Once installed, PyXie will connect to a secondary C2 server before awaiting further commands. By default, it has the following capabilities:

User and system information collection.
Credential, cookie, log, and certificate extraction.
Payload installation.
Keylogging.
Network enumeration and monitoring.
Device audio and video recording.
WebDav server and SOCKS5 proxy creation.
Man-in-the-Middle attacks.

Remediation steps

Type	Step
	To prevent and detect a trojan infection, ensure that: A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails. All operating systems, anti-virus and other security products are kept up-to-date. Regular anti-virus and security scans are performed on your organisation’s estate. All day-to-day computer activities such as email and internet are performed using non-administrative accounts. Strong password policies are in place. Network, proxy and firewall logs should be monitored for suspicious activity. User accounts accessed from affected devices should be reset on a clean computer. Your organisation adopts a holistic all-round approach to Cyber Security as advocated by the 10 Steps to Cyber Security.

Type

Step

To prevent and detect a trojan infection, ensure that:

A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
All operating systems, anti-virus and other security products are kept up-to-date.
Regular anti-virus and security scans are performed on your organisation’s estate.
All day-to-day computer activities such as email and internet are performed using non-administrative accounts.
Strong password policies are in place.
Network, proxy and firewall logs should be monitored for suspicious activity.
User accounts accessed from affected devices should be reset on a clean computer.
Your organisation adopts a holistic all-round approach to Cyber Security as advocated by the 10 Steps to Cyber Security.

Indicators of compromise

Main indicators

PyXie IoC List 05/12/2019

Last edited: 29 June 2021 11:57 am