Psylo

Psylo is a new, previously unreported Trojan malware discovered by Unit 42 during an infrastructure analysis of FakeM Custom SSL variants. The malware was named after the anagram 'hnxlopsyxt', which is the mutex created when initially running the payload. Psylo has been found to have overlaps with FakeM, Elirks, and MobileOrder in terms of command and control infrastructure, including domain names and IP resolution. However, it's important to note that Psylo is not considered another variant of FakeM due to its distinct command handler. The command handler in Psylo differs dramatically from that of FakeM, as shown in Table 5. It suggests that Psylo is less modular but supports more embedded functionality compared to FakeM. This difference, along with the comparison between Psylo and FakeM custom SSL configurations (Figure 15), indicates that while there may be similarities, Psylo is a unique entity in the world of malware. The connection between FakeM, Psylo, and MobileOrder implies that Scarlet Mimic, a known threat actor, is expanding their espionage efforts from PCs to mobile devices. This marks a significant shift in tactics. Additionally, an overlap was discovered between Psylo's infrastructure and a Trojan focused on compromising Android mobile devices. When communicating with its C2 server, Psylo uses HTTPS with a unique user-agent, notably lacking a space between "5.0" and "(Windows". This discovery underscores the evolving nature of cyber threats and the need for robust security measures against such sophisticated malware.