A Remote Access Trojan (RAT) dubbed PyXie RAT, was reported by the researchers at BlackBerry Cylane to have multiple capabilities such as stealing passwords, monitoring actions on the infected system and spreading malware. It also uses the open-source project SharpHound to gather Active Directory (AD) information. Although PyXie RAT has been observed in the wild since 2018, it has not received much attention from the security community or been named until now. This RAT uses an open-source Tetris game to disguise its malicious content, loading the RAT and Cobalt Strike stagers. The full extent of this campaign is still not certain. Cylane’s team has identified attacks against over 30 organizations, primarily in the educational and healthcare fields.
Analyst Notes
Standard cybersecurity practices can be used to defend against PyXie RAT. Routine patching of systems and applications helps by removing vulnerabilities that have been addressed by patches. Updating to the latest security definitions available from Anti-Virus (AV) products helps to ensure that any known malware samples are detected. Endpoint detection services, such as the Binary Defense Security Operation Center, can monitor and defend from attacks that evade anti-virus or exploit unpatched vulnerabilities to either stop or minimize damage caused by malicious programs. Auditing, logging, and monitoring of network activity can also help to identify unusual patterns of activity that can be suspicious. Lastly, users should be wary of any game/program that is free and which the organization has not authorized.
Sources: https://www.zdnet.com/article/this-trojan-malware-is-being-used-to-steal-passwords-and-spread-ransomware/
https://threatvector.cylance.com/en_us/home/meet-pyxie-a-nefarious-new-python-rat.html
