A new Python-based malware that features remote access trojan capabilities has been spotted in the wild. Researchers at Securonix dubbed this malware “PY#RATION” and released a technical report detailing how the malware spreads and its capabilities. The researchers also note that this is an actively developed malware, with multiple different variants being seen since August.
The researchers indicate that this malware spreads through a phishing campaign using a password-protected ZIP file containing two LNK files. When launched, malicious code is executed to download two TXT files from a Command and Control (C2) server that are eventually renamed to BAT files. When executed, these BAT files create two directories in the user’s temporary directory spoofing Cortana and then additional files are downloaded (including the RAT), unpacked, and executed. Persistence is then established via a BAT file dropped to the user’s Startup folder.
The malware itself is packed into an executable using automated packers such as pyinstaller and py2exe, which results in inflated payload sizes. This also allows the malware to leverage Pythons Socket.IO framework for communication. More recent variants also include a layer of encryption as well, which assists with evading detection. The latest version of the RAT includes an abundance of features including the following:
- Network/Host enumeration
- File transfers between victim and C2
- Shell Commands
- Password/Cookie stealing
- Clipboard stealing