New Python-based malware campaign targets Windows (1st February 2023)

Ref# AL2023_09 | Date: Feb 1st 2023

Summary  

Researchers at Securonix have recently discovered a new, stealthy Python-based malware that features remote access trojan (RAT) capabilities targeting Windows devices.  

About PY#RATION 

This new malware is being tracked by the name PY#RATION by the researchers at Securonix. The malware has many features and capabilities including RAT behaviour such as keylogging and data exfiltration. Researchers stated that this malware stands out from the rest because of its utilization of web sockets for both its command and control (C2) communication and data exfiltration. It was also noted that this malware has been under active development as of August 2022, where different versions of the malware were released with new features and anti-evasive techniques. 

In the first stage of the initial infection begins with the PY#RATION malware being distributed through phishing emails containing a malicious .zip file attachment that is password protected. The zip file contains two shortcut (.lnk) files disguised as two image files (front.jpg(.lnk) and back.jpg(.lnk)) located on a remote C2 server. Clicking on the shortcut files shows two images of a drivers licenses, however, the malicious code embedded in the shortcut files are executed and downloads two .txt files called front.txt and back.txt from the C2 server. These text files are then converted to .bat files to accommodate the malware execution.  

The second stage of the infection begins when the batch files create two directories in the temp folder, namely Cortana and Cortana/Setup. The batch file CortanaDefault.bat is dumped in the temp folder and checks for the existence of the files unrar.cert, setup.rar, and assist.rar. If these files are not found, it is downloaded from the URL hxxps://install.realproheros.com/. Once these files are available, the Microsoft utility certutil.exe is used to decode the unrar.cert file into the executable unrar.exe, which is then executed and extracts the contents from assist.rar and setup.rar. A visual basic script is created and saved in the Cortana folder as inv.vbs which awaits special parameters to run. Persistence is established by dropping the batch file CortanaAssist.bat. in the startup folder so that the malware is executed on each startup. 

One of the extracted files is the CortanaAssistance.exe file which is the Python-based RAT. It was a Python-packed binary that was converted into a Windows executable using tools such as pyinstaller or py2exe. The researchers managed to unpack the file contents using pyinstxtractor, however, as some of the code was retrieved, most of the main code was hidden behind Fernet. Fernet is a Python cryptography package that is used to encrypt and authenticate data, and this helps attackers to mask their malicious code from AV detections.  

By analyzing the function code of the malware, some of the revealed functionalities include networking scanning and enumeration, data exfiltration, keylogging, host enumeration, system shell commands, download/upload files, NSSProxy functionality, system enumeration, and antivirus detection/enumeration.  

Indicators of Compromise 

For a list of IOCs on the PY#RATION malware, follow the link below: https://www.securonix.com/blog/security-advisory-python-based-pyration-attack-campaign/ 

Remediation 

To protect yourself against RAT attacks such as PY#RATION, we recommend the following: 

  • Be wary of suspicious emails and any attachments embedded. In the case of threat actors using legitimate information in their emails, be sure to read the email thoroughly. If the senders email shows a business entity, contact the business to confirm the email. If the senders email is unknown, disregard the email.  

  • Only download apps and software from trusted sources.  

  • Be wary when browsing the internet and do not click on suspicious links and pop ups.  

  • Ensure that you have an updated anti-virus solution and operating system.  

  • Perform regular backups of data.  

If you are infected by a RAT, we recommend the following:  

  • Upon infection discovery, immediately disconnect the infected device from the network to prevent any malicious activities from occurring.  

  • Launch the device in safe mode and have a reputable anti-virus installed.  

  • Perform a full scan on the device and remove any threats detected.   

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.    

PDF Download: Python-based malware campaign targets Windows.pdf

References