Researchers on the Global Research and Analysis Team (GReAT) at Kaspersky Lab have recently discovered a new malware strain dubbed PyMICROPSIA, currently being used by a group tracked as AridViper.
AridViper operates primarily in the Middle East, focusing mainly on Palestine, Egypt, and Turkey. Their malware was designed specifically to attack Windows-based machines.
The group hasn’t been terribly active, having compromised a relatively modest 3,000 or so machines since they appeared on Kaspersky’s radar in 2015. That, however, may be changing.
Recent samples of the code reveal that AridViper is continuing to develop their info-stealing malware. They’re arming it with new capabilities and expanding their reach by building in architecture that will allow them to begin attacking machines running both Linux and MacOS.
In terms of new capabilities, AridViper seems to be pulling out all the stops. Not all of these have been activated yet, but hooks are now in the code to build out additional functions.
The Other Functions Include:
- File uploading
- Payload download and execution
- Screen captures
- File compression for easier exfiltration
- Collection of process information which would allow killing system processes
- File deletion
- Automatic reboot
- Disabling Outlook processes
- Creating, deleting, compressing and exfiltrating files and folders
- Collecting information from USB drives
- Audio recording
- And more
All this, in addition to the malware’s current info-stealing capabilities, which include the ability to steal credentials from browsers, clearing browser histories, keylogging and the like.
All that to say, if AridViper completes development on all the functionalities listed above and builds out the capability to deploy their malware against Linux and MacOS machines, it will be a dangerous strain indeed.
If you have business dealings in the Middle East, you may have already run afoul of this particular strain. Even if you don’t, this is clearly one to watch for as AridViper seems intent on flexing its muscles in the months ahead.