Newly discovered Windows info-stealing malware linked to an active threat group tracked as AridViper shows signs that it might be used to infect computers running Linux and macOS.
The new trojan, dubbed PyMICROPSIA by Unit 42, was discovered while investigating AridViper activity (also tracked as Desert Falcon and APT-C-23), a group of Arabic speaking cyberspies focusing their attacks on Middle Eastern targets since at least 2011.
AridViper operates mainly out of Palestine, Egypt, and Turkey, and the number of victims they compromised exceeded 3,000 in 2015 [PDF], according to the Global Research and Analysis Team (GReAT) at Kaspersky Lab.
While PyMICROPSIA is a Python-based malware that specifically targets Windows systems using a Windows binary generated using PyInstaller, Unit 42 has also found code snippets showing that its creators are potentially working on adding multi-platform support.
"PyMICROPSIA is designed to target Windows operating systems only, but the code contains interesting snippets checking for other operating systems, such as 'posix' or 'darwin'," as Unit 42 said.
"This is an interesting finding, as we have not witnessed AridViper targeting these operating systems before and this could represent a new area the actor is starting to explore."
Despite this, these checks might have been introduced by the malware's developers while copy-pasting code from other 'projects' and could very well be removed in future versions of the PyMICROPSIA trojan.
When it comes to this trojan's capabilities, Unit 42 has unearthed a long list of features while analyzing malware samples found on compromised devices and payloads (not Python-based) downloaded from attackers' command-and-control (C2) servers.
The list of information-stealing and control capabilities includes data theft, device control, and additional payload delivery features.
The full list of capabilities includes but it's not limited to:
PyMICROPSIA makes use of Python libraries for a wide range of purposes, ranging from information and file theft to Windows process, file system, and registry interaction.
The trojan's keylogging capability implemented using the GetAsyncKeyState API is part of a separate payload it downloads from the C2 server.
A downloaded payload is also used for gaining persistence by dropping a .LNK shortcut in the compromised computer's Windows Startup folder.
However, PyMICROPSIA will also employ other persistence methods including setting up dedicated registry keys that will relaunch the malware after system restarts.
Based on the connections found by Unit 42 between PyMICROPSIA and AridViper's MICROPSIA malware, this threat actor "maintains a very active development profile, creating new implants that seek to bypass the defenses of their targets."