TLP AMBER

Advisory: Detection of PyXie

RAT, custom loaders and
details of their combined use
in ransomware campaigns

Version 1.0
Reference: NCSC-Ops/09-20
30 June 2020
© Crown Copyright 2020

1 of 12
TLP AMBER
 TLP AMBER

About this document

This report provides information derived from NCSC and industry analysis on how to
detect PyXie RAT and other custom loaders. It also provides details of their use in
ransomware campaigns.

Handling of the report

Information in this report has been given a Traffic Light Protocol (TLP) of AMBER,
which means it can only be shared within the Cyber-Security Information-Sharing
Partnership (CiSP) community and with clients or customers who need to know the
information. You must ensure that you store, handle and transmit the report in the
manner appropriate to its TLP.

Disclaimer
This report draws on information derived from NCSC and industry sources. Any NCSC
findings and recommendations made have not been provided with the intention of
avoiding all risks, and following the recommendations will not remove all such risk.
Ownership of information risks remains with the relevant system owner at all times.

2 of 12
TLP AMBER
 TLP AMBER

Introduction
As ransomware continues to adversely affect UK organisations, the NCSC has
investigated several UK incidents in which two distinct custom loaders have been used
to deploy a ransomware payload.
These loaders have been used in attacks against the healthcare, medical and
transport sectors, although other sectors could also be impacted. In some cases, it
appears to also be part of the infection chain for the Python-based remote access
trojan PyXie RAT.
This advisory which details NCSC and partner analysis provides further details, as well
as detection rules and key indicators of compromise in the appendix.

Details
Vatet
This is a custom shellcode loader which masquerades as legitimate programs, notably
a Tetris game and notepad application. Microsoft refers to it as Vatet and reports three
attack vectors:

• The Citrix vulnerability CVE-19781-20191

• Brute-forcing RDP endpoints

• Sending emails containing .lnk files that launch malicious PowerShell

commands

Ransomware actors have used Vatet to load and execute encrypted Cobalt Strike
malware payloads from internal network shares on victim networks.

Vatet is known to download a lightly obfuscated variant of the Metasploit

download_exec shellcode payload, which goes on to fetch a further stage from servers
associated with Cobal Strike and ransomware. It has also been seen directly fetching
Cobalt Strike binaries.

Link to PyXie RAT

NCSC and industry partner analysis shows that in some cases when Vatet is on a
network, the remote access trojan (RAT) PyXie is also present.

PyXie is a fully functional RAT with many capabilties typical of a RAT. A detailed
analysis of PyXie RAT is found in a Cylance blog, which appears to be the first

1
The NCSC published an Advisory about how to defend against this vulnerability in January 2020:
https://www.ncsc.gov.uk/news/citrix-alert
3 of 12
TLP AMBER
 TLP AMBER

significant industry reporting on it. It stated that PyXie has been active since at least
2018.

Infection
Method 2 in the diagram below outlines a PyXie infection using the Vatet loader,
while method 1 shows the original method, not using Vatet. Method 1 has not been
seen with new binaries since late 2019, although it is documented that Trickbot has
recently delivered these older tools.

The infection looks like this:

Figure 1: PyXie and Vatet loader infection methods

Ransomware objective
Deploying ransomware is a clear objective of the actor’s use of Vatet loader. The
NCSC and partners have observed that when PyXie is also present on a network,
there appears to be a strong link to the Defray777 ransomware.2 Without PyXie, Vatet
has been seen dropping other ransomware types, notably Doppelpaymer and
Bitpaymer variants.

Other PyXie capabilities

As a developed RAT, PyXie has other functionalities apart from ransomware
deployment, which include keylogging, credential harvesting, video recording, cookie
theft and the ability to perform man-in-the-middle attacks.

2
Also supported by the overview in https://www.pondurance.com/777-ransomware-combines-with-
trickbot/, although this predates the naming of PyXie.
4 of 12
TLP AMBER
 TLP AMBER

The length of time between the first known PyXie activity in 2018 and the publishing
of the Cylance blog in late 2019 highlights the anti-forensic efforts expended by the
PyXie developers.

Conclusion
The anti-forensic efforts used by the PyXie actors could mean that on some networks
PyXie is present but undetected, with the risk that the actor may implement any of its
capabilities at a later date.

The NCSC strongly recommends that organisations use the rules and IoCs in the
appendix to detect any presence of Pyxie and the custom loaders detailed in this
advisory on their networks.

Incidents affecting organisations in the UK should be reported to the NCSC via our
website: https://report.ncsc.gov.uk/

5 of 12
TLP AMBER
 TLP AMBER

Appendix
Detection rules
As is standard practice, organisations are reminded to check for false positives in all
results.

The YARA rule below may detect the presence of Vatet loader on a network:

rule vatet_loader
{
meta:
description = “Detects trojanised vatet binary”
author = “NCSC”
TLP = “AMBER”
date = “15/05/2020”

strings:
$uncpath = /\\\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\\[0-
9]{13}\\.{1,20}\.(dat|sto)/
$pdb = /C:\\Users\\1\\Downloads\\.{0,255}\.pdb/

condition:
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and
filesize < 1MB and
all of them
}

6 of 12
TLP AMBER
 TLP AMBER

The rule below covers distinctive code sequences found in the side-loading
precursors of PyXie:

import "pe"

rule pyxie_loader_hunt
{
meta:
description = “Detects early stages of the PyXie RAT side loading chain”
author = “NCSC”
TLP = “AMBER”
date = “15/05/2020”

strings:
//match the import address deobfuscation code found by Cylance
$old_import_obfuscation = {C6 06 68 89 46 01 C7 46 05 9C 81 74 24 C6 46 09 04 89
4E 0A 66 C7 46 0E 9D C3}

//match some other distinctive code sequences and the unusual exe header function
$dat = ".dat" ascii fullword
$pecopy = {8B 45 F8 8B 75 08 8B 48 54 8B FB F3 A4 0F B7 48 14 33 F6 33 D2 8D 4C
01 18 66 3B 70 06}
$filecreate = {b? 00 00 00 02 6a 00 5? 6a 03 6a 00 6a 03 68 00 00 00 80 5? ff 15
[7] ff ff}
$xorloop = {8a 1c 07 30 18 40 49 75 f7}
$AES = {0F B6 4E 09 0F B6 56 05 8A 46 0D 88 56 09 0F B6 56 0A 88 4E 0D 0F B6 4E
01 88 46 01 8A 46 02 }
$callaes = {8D [2] 8D [2] C7 45 [5]C7 45 [5] C7 45 [5] C7 45 [5] C7 45 [5] C7 45
[5] C7 45 [5] C7 45 [5] E8}

condition:
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550)
and
(
$old_import_obfuscation or
(pe.imports("ntdll.dll", "RtlImageNtHeader") and 3 of them)
)
}

7 of 12
TLP AMBER
 TLP AMBER

The heavy obfuscation used by PyXie makes searching for the actual RAT payload
on disk unreliable. The Sigma rule below allows detection of common filesystem
activity logged by Sysmon:

title: PyxieRAT Filesystem Activity

description: 'Detects some non-obfuscated filenames used in
reconnaisance and browser cookie exfiltration'
status: experimental
author: NCSC
date: 2020/06/01
level: high
action: global
---
logsource:
product: windows
service: sysmon
detection:
selection_recon_sysinfo:
EventID: 11
TargetFilename|endswith:
- 'win32k_ver.txt'
- 'net_group_domain_admins.txt'
- 'nltest_domain.txt'
- 'gpresult_z.txt'
- 'tasklist_v.txt'
- 'ipconfig_displaydns.txt'
- 'wmic_process.txt'
- 'wmic_qfe_list.txt'
- 'vssadmin_list_shadows.txt'

selection_exfil_browsercookies:
EventID: 11
TargetFilename|endswith:
- 'chrome.cookies.1'
- 'chromium.cookies.1'
- 'opera.cookies.1'
- 'firefox.cookies.1'

condition: selection_recon_sysinfo or
selection_exfil_browsercookies

In addidtion, endpoint protection should be configured to detect use of the

credential dumpers Sharphound, Lazagne and Mimikatz.

8 of 12
TLP AMBER
 TLP AMBER

Network detection

The Snort rules from Emerging Threats can be used to detect TLS traffic using
certificates known to be used by PyXie:
https://doc.emergingthreats.net/bin/view/Main/2029083 - sarymar.com
https://doc.emergingthreats.net/bin/view/Main/2029084 - benreat.com
https://doc.emergingthreats.net/bin/view/Main/2029085 - planlamaison.com
https://doc.emergingthreats.net/bin/view/Main/2029086 - teamchuan.com
https://doc.emergingthreats.net/bin/view/Main/2029087 - tedxns.com
https://doc.emergingthreats.net/bin/view/Main/2029088 - athery.bit
https://doc.emergingthreats.net/bin/view/Main/2029089 - babloom.bit
https://doc.emergingthreats.net/bin/view/Main/2029090 - floppys.bit

In addition, PyXie contains a reconnaissance module which performs port-

scanning of the local network, including checks for the SMB vulnerability MS17-
010 to enable lateral movement. Microsoft guidance on ensuring systems are
patched against this vulnerability can be found here.

9 of 12
TLP AMBER
 TLP AMBER

IOCs

Hashes
SHA1 hash Type
0400adc98da7ba70ddd99a45c5d07dd9dae6fdc9 ZIP with PyXie first stage DLL
sideloaded by a LogMeIn binary
4c1cedca4bcb5064d9d7f910f3b0d72f75316c0f ZIP with PyXie first stage DLL
sideloaded by a LogMeIn binary
e52a2bfeca875c04dd4c69a99ce1d3831d40797c ZIP with PyXie first stage DLL
sideloaded by a Google binary
e01af7b18c432fa352fea4a166e56c60e6895d0a Vatet loader (Notepad)
e744a577e52d594342bb727ef268796553f2c0d3 Vatet loader (Notepad)
61f4e7dff34352fd8d065e57abaa60b149ebaae3 Vatet loader (Notepad)
74b9f153234306a4e0f5c0cfa7bebb68eb0d3890 Vatet loader (Notepad)
1291b32719aef4f71732010263339e59726aaa90 Vatet loader (Notepad)
40e314bef8a7fb314b8dfb8b641fa2426d198488 Vatet loader (Notepad)
9d72102282cb7246c9b117e791e27cfef045c6cc Vatet loader (Notepad)
a5327a5d9bb0f2201b817e4411fb0054bf6990a Vatet loader (Notepad)

e741885b90a4d6b4699948b9184cf38bf838b890 Vatet loader (Rainmeter)

85c6263edcabcafe9df9e7d96bf5d5d56bde47ea Vatet second stage shellcode

727618986a37c965d85919caa73c6e12b3287f7c Vatet second stage shellcode

1d0bb7c031697acbfbbff049ab8707fb9654db6d Vatet second stage shellcode

209466bff6f524a459f40d468c5cf84c9fab885f Vatet second stage shellcode

Network indicators
Command and control (C2) domains and IPs

Below are the C2 domains and IPs associated with activity described in this advisory
from NCSC and industry partner analysis. This is not an exhaustive list and there are
likely to be more:
Domain Description
benreat[.]com PyXie/CobaltMode & Cobalt Strike
tedxns[.]com PyXie/CobaltMode & Cobalt Strike
planlamaison[.]com PyXie/CobaltMode & Cobalt Strike
sarymar[.]com PyXie/CobaltMode & Cobalt Strike
teamchuan[.]com PyXie/CobaltMode & Cobalt Strike
athery[.]bit PyXie/CobaltMode & Cobalt Strike
babloom[.]bit PyXie/CobaltMode & Cobalt Strike
PyXie/CobaltMode & Cobalt Strike
c1oudflare[.]com
dopearos[.]com PyXie/CobaltMode & Cobalt Strike
fearlesslyhuman[.]org PyXie/CobaltMode & Cobalt Strike
floppys[.]bit PyXie/CobaltMode & Cobalt Strike
foods-pro[.]com PyXie/CobaltMode & Cobalt Strike
hwartless[.]bit PyXie/CobaltMode & Cobalt Strike
ololo[.]space PyXie/CobaltMode & Cobalt Strike
safealayzer[.]com PyXie/CobaltMode

10 of 12
TLP AMBER
 TLP AMBER
mustomo[.]com PyXie/CobaltMode
bookrah[.]com PyXie
api[.]customairbrushoklahoma[.]com PyXie
hekutn[.]com PyXie
syvansoft[.]com Cobalt Strike
cloud[.]falconoasisdubai[.]com Payload distribution host used by
Vatet

IP Description
104.200.67[.]24 PyXie
5.187.51[.]237 PyXie
144.217.174[.]184 PyXie
216.189.145[.]132 PyXie
185.206.144[.]40 PyXie
162.248.245[.]71 PyXie
185.206.144[.]40 PyXie
162.248.245[.]71 PyXie
104.200.67[.]24 CobaltMode/PyXie
104.200.67[.]173 CobaltMode/PyXie
38.68.36[.]242 CobaltMode/PyXie
13.58.177[.]33 CoaltMode/PyXie & Cobalt Strike
162.216.240[.]7 Cobalt Strike
192.169.7[.]160 Payload distribution host used by Vatet
5.135.230[.]132 Payload distribution host used by Vatet
172.245.21[.]224 Payload distribution host used by Vatet

11 of 12
TLP AMBER
 TLP AMBER

Mitigation
The NCSC has published guidance that explains how to defend your organisation from
ransomware and other malware attacks.
You should prioritise:
• keeping safe backups of important files
• defending your systems from malware (noting that paying the ransom may not get
your data back)
See NCSC Guidance:
https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks
https://www.ncsc.gov.uk/guidance/backing-your-data
The most effective mitigations for ransomware and other malware will include a defence-
in-depth approach that makes it more difficult to successfully deploy malware, and reduce
the impact and spread of a successful infection. We therefore recommend that longer-
term, you should seek to:
• Set up a security monitoring capability so you are collecting the data that will
be needed to analyse network intrusions. See NCSC Guidance:
https://www.ncsc.gov.uk/guidance/introduction-logging-security-purposes.
• Update your systems and software. Ensure your operating system and
productivity apps are up to date. Users with Office 365 licensing can use 'click to run'
to keep their office applications seamlessly updated.
• Use modern systems and software. These have better security built-in. If you
cannot move off out-of-date platforms and applications straight away, there are short
term steps you can take to improve your position. See NCSC Guidance:
https://www.ncsc.gov.uk/guidance/obsolete-platforms-security-guidance
• Restrict intruders' ability to move freely around your systems and networks.
Pay particular attention to potentially vulnerable entry points eg third-party systems
with onward access to your core network. During an incident, disable remote access
from third-party systems until you are sure they are clean. See NCSC Guidance:
https://www.ncsc.gov.uk/guidance/preventing-lateral-movement and
https://www.ncsc.gov.uk/guidance/assessing-supply-chain-security.
• Add permitted applications to an allow-list. If supported by your operating
environment, consider putting permitted applications on an allow-list. This will help
prevent malicious applications from running.
• Manage macros carefully: disable Office macros except in the specific apps
where they are required, only enable macros for users that need them day-to-day,
use a recent and fully patched version of Office and the underlying platform, ideally
configured in line with the NCSC’s EUD Security Guidance. See NCSC Guidance:
https://www.ncsc.gov.uk/guidance/end-user-device-security and
https://www.ncsc.gov.uk/guidance/macro-security-microsoft-office
• Use antivirus. Keep any antivirus software up to date, and consider use of a
cloud-backed antivirus product. These provide better threat intelligence and more
advanced analysis. Ensure that it is also capable of scanning MS Office macros. See
NCSC Guidance: https://www.ncsc.gov.uk/guidance/macro-security-microsoft-office
• Deploy a host-based intrusion detection system. A variety of products are
available, free and paid-for, to suit different needs and budgets.

12 of 12
TLP AMBER