A new Python-based malware that features remote access trojan capabilities has been spotted in the wild. Researchers at Securonix dubbed this malware “PY#RATION” and released a technical report detailing how the malware spreads and its capabilities. The researchers also note that this is an actively developed malware, with multiple different variants being seen since August.
The researchers indicate that this malware spreads through a phishing campaign using a password-protected ZIP file containing two LNK files. When launched, malicious code is executed to download two TXT files from a Command and Control (C2) server that are eventually renamed to BAT files. When executed, these BAT files create two directories in the user’s temporary directory spoofing Cortana and then additional files are downloaded (including the RAT), unpacked, and executed. Persistence is then established via a BAT file dropped to the user’s Startup folder.
The malware itself is packed into an executable using automated packers such as pyinstaller and py2exe, which results in inflated payload sizes. This also allows the malware to leverage Pythons Socket.IO framework for communication. More recent variants also include a layer of encryption as well, which assists with evading detection. The latest version of the RAT includes an abundance of features including the following:
- Network/Host enumeration
- File transfers between victim and C2
- Shell Commands
- Password/Cookie stealing
- Clipboard stealing
As with many campaigns, this malware is spread through phishing techniques. This demonstrates the benefit of employing an email monitoring solution in an enterprise environment. Additionally, it demonstrates the need for constant – and recurring – user education on common phishing tactics and how to detect and protect against them. Apart from these general statements that can apply to most new campaigns, this RAT also demonstrates a few different techniques that are possible to monitor. For one, it is beneficial to monitor for any suspicious file creations in the startup folder, which would detect the BAT being created there to establish persistence. Another possible tactic to detect would be to alert for any attempts at stealing passwords or cookies from the browser. Further, it is beneficial to monitor for any popular reconnaissance commands being used.