Researchers have discovered a malware operation that uses a trojanized version of Tetris game to target healthcare and educational institutions for credential stealing.
Security pros at Blackberry Cylance stated that threat actors are trying to distribute ransomware with a malware named “PyXie”. It’s said that PyXie, which is written in Python programming language, has been in the wild since 2018.
According to a report from Blackberry Cylance, the Python-based trojan malware gives attackers the control of Windows systems to monitor actions and steal sensitive data.
PyXie is highly customizable and can be used to launch a variety of attacks like credential harvesting, man-in-the-middle, web-injection, keylogging, and video harvesting, suggested Ryan Tracey, a senior threat researcher at BlackBerry Cylance.
Spreading via Trojanized Tetris Game
The analysts observed that an unknown hacking group used a genuine software Cobalt Strike and a trojanized Tetris game to spread the malware.
Once the victim downloads the game, the trojanized Tetris app executes Cobalt Strike binaries, which escalates the privilege in the victim’s Windows OS. After the trojan injected, a malware downloader Cobalt Mode will also get installed in the system to help attackers perform tasks like communicating with the command-and-control server, downloading and decrypting the payload.
It’s still unclear on who’s behind the PyXie campaign.
“PyXie has been deployed in an ongoing campaign that targets a wide range of industries. It has been seen in conjunction with Cobalt Strike beacons as well as a downloader that has similarities to the Shifu banking Trojan. Analysts have observed evidence of the threat actors attempting to deliver ransomware to the healthcare and education industries with PyXie,” stated the report.
Regardless of the advanced capabilities of PyXie, the researchers stated that it can be prevented by application patching, endpoint-protection technology, auditing, logging, and monitoring of endpoint and network activity.