Tetris game app used to distribute PyXie Python RAT

A new remote access trojan whose name reminds one of a fairytale and not the potential nightmare it could bring to its victim has been disclosed by Cylance.

PyXie Python RAT has been flitting about since 2018 helping deliver ransomware and other malware to the healthcare and education industries. The RAT has been tracked being delivered through malicious TETRIS apps to load and execute the pen testing tool Cobalt Strike and a custom shellcode loader.

“The loader is a Trojanized open source Tetris game. It has been modified to load an encrypted shellcode payload named ‘settings.dat’ from an internal network share and inject it into a new process,” Cylance said.

And once installed can conduct a laundry list of malicious activity ranging from man-in-the-middle attacks to keylogging to running arbitrary payloads, Cylance reported.

Typically a campaign using PyXie uses legitimate LogMeIn and Google binaries to sideload payloads, uses a downloader similar to one used by Shifu and Cobalt Mode, A custom compiled Python interpreter that uses scrambled opcodes to hinder analysis and a modified RC4 algorithm to encrypt payloads with a unique key per infected host.

An attack has three distinct stages. The first is the loader using the LogMeIn or Google binary; second is installation and persistence that fingerprints the targeted machine by generating a hardware ID hash along with a process to download the third stage.

At this point two mutexes are created to stop two iterations of the malware from running on the same device and if the process infected by the loader has admin privileges PyXie will attempt to use that functionality to escalate its own privileges.

The third stage features the Cobalt Mode downloader that can connecting to a command and control (C&C) server, downloading a full-featured and encrypted Python RAT compiled into an executable, decrypting the payload, mapping and executing the payload in the address space of the current process and finally spawning a new process for code injection.

The malware is now ready to begin operating.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.