# When Threat Actors Fly Under the Radar: Vatet, PyXie and Defray777 **unit42.paloaltonetworks.com/vatet-pyxie-defray777/4** Ryan Tracey, Drew Schmitt November 7, 2020 By [Ryan Tracey and](https://unit42.paloaltonetworks.com/author/ryan-tracey/) [Drew Schmitt](https://unit42.paloaltonetworks.com/author/drew-schmitt/) November 6, 2020 at 6:15 PM [Category: Malware,](https://unit42.paloaltonetworks.com/category/malware-2/) [Ransomware,](https://unit42.paloaltonetworks.com/category/ransomware/) [Unit 42](https://unit42.paloaltonetworks.com/category/unit-42/) Tags: [Defray777,](https://unit42.paloaltonetworks.com/tag/defray777/) [PyXie,](https://unit42.paloaltonetworks.com/tag/pyxie/) [Vatet](https://unit42.paloaltonetworks.com/tag/vatet/) This post is also available in: 日本語 [(Japanese)](https://unit42.paloaltonetworks.jp/vatet-pyxie-defray777/) ## Linking Vatet, PyXie and Defray777 While researching these malware families, we found that there were several consistencies between Vatet, PyXie and Defray777 that strongly suggest that all three malware families were created, and are currently maintained by, the same financially motivated threat group. **PDB Path Reuse** As we saw with the Defray777 decryptors, there are numerous victims that have been impacted by Defray777. However, these decryptors also show some overlap with PyXie. One of the decryptors we analyzed shares a common path with earlier versions of PyXie and its ----- Cobalt Mode downloader. Defray777 Decryptor Z:\coding\pyproject\compiled\ransom\ransom.pdb PyXie z:\coding\pyproject\python_static_2.7.15\ Cobalt Mode Z:\coding\pyproject\compiled\cobalt_mode\cobalt_mode.pdb _Table 19. PDB paths shared between Defray777, PyXie and Cobalt Mode._ Additionally, some of the variants of Vatet we observed also have overlapping PDB paths. Tetris C:\Users\1\Downloads\tetris-game-master\Release\TetrisGame_zjy.pdb Notepad C:\Users\1\Downloads\notepad-master\Debug\notepad.pdb Rainmeter C:\Users\1\Downloads\rainmeter-master\x32Release\Obj\Library\Rainmeter.pdb Rainmeter C:\Users\1\Downloads\rainmeter-master\x32Release\Obj\Application\Rainmeter.pdb Notepad++ C:\Users\1\Downloads\notepad-plus-plus-master\PowerEditor\bin\npp.pdb _Table 20. PDB paths shared between Vatet variants._ **String Encryption** During our research, we observed that the method of string encryption in each of the variants was consistent. Defray777 uses the same string encryption that was used in PyXie. Additionally, the same string encryption methodology was observed in the Tetris variant of Vatet loader. Figure 26. Defray777 string decryption example. **Creating Mutexes** ----- Defray777 uses the same Mutex routine as the updated PyXie sample we analyzed, including the DEFAULTCOMPNAME fallback. One thing Defray777 does differently is that it omits the step where the computed MD5 hash is XOR’d with 0x2. Figure 27. The Defray777 mutex creation process. ## Conclusion Since 2018, a financially-motivated threat group has been using a combination of Vatet loader, PyXie RAT and Defray777 ransomware to target organizations in the healthcare, education, government and technology industries without drawing attention to themselves. They’ve only been a blip on the radar. We have exposed this group’s desire to use open source tools as a means for the Vatet loader. We have shown how PyXie is used to conduct reconnaissance and find and exfiltrate data. We have also uncovered how this group uses Cobalt Strike to deliver Defray777 into memory to encrypt files, causing catastrophic damage to their victims. We hope that by shining more light on this group of threat actors, we can help disrupt their ability to conduct ransomware operations. Now that they are on the radar, we must aim to keep them there. Palo Alto Networks customers are protected from this threat in the following ways: [All samples in this report have a malicious verdict in WildFire.](https://www.paloaltonetworks.com/products/secure-the-network/wildfire) [Cortex XDR detects these threats.](https://www.paloaltonetworks.com/cortex/endpoint-protection) [Command and Control infrastructure has been classified as malicious in URL Filtering.](https://www.paloaltonetworks.com/products/threat-detection-and-prevention/web-security) [Continue reading: Indicators of Compromise](https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5) **Get updates from** **Palo Alto** **Networks!** Sign up to receive the latest news, cyber threat intelligence and research from us [By submitting this form, you agree to our Terms of Use and acknowledge our Privacy](https://www.paloaltonetworks.com/legal-notices/terms-of-use) Statement. -----