A new Python-based malware has been discovered in the wild, with remote access trojan (RAT) capabilities that permit its operators to regulate the compromised systems.
The new RAT, dubbed PY#RATION by researchers at threat analytics firm Securonix, communicates with the command and control (C2) server and exfiltrates data from the victim host via the WebSocket protocol.
The company's technical report examines how the malware operates. The researchers note that the RAT is actively being developed, as they have seen multiple versions of it since the PY#RATION campaign began in August. MalwareHunterTeam, who tweeted about a campaign in August 2022, also discovered this malware.
The PY#RATION malware is distributed through a phishing campaign that employs password-protected ZIP file attachments with two shortcuts. Front.jpg.lnk and back.jpg.lnk are LNK files disguised as images.
When the shortcuts victim is launched, he or she sees the front and back of a driver's license. However, malicious code is also executed to contact the C2 (in later attacks, Pastebin) and download two.TXT files ('front.txt' and 'back.txt'), which are later renamed to BAT files to accommodate malware execution.
When the malware is launched, it creates the 'Cortana' and 'Cortana/Setup' directories in the user's temporary directory before downloading, unpacking, and running additional executable files from that location.
By placing a batch file ('CortanaAssist.bat') in the user's startup directory, persistence is established. Cortana, Microsoft's personal assistant solution for Windows, is used to disguise malware entries as system files.
The malware supplied to the target is a Python RAT packaged into an executable with the help of automated packers such as 'pyinstaller' and 'py2exe,' which can convert Python code into Windows executables that include all the libraries required for its implementation.
This method results in larger payload sizes, with version 1.0 (the first) being 14MB and version 1.6.0 (the most recent) being 32MB. The latest version is larger because it includes more code (+1000 lines) and a layer of fernet encryption.
As per Securonix's tests, version 1.6.0 of the payload deployed undiscovered by all but one antivirus engine on VirusTotal. While Securonix did not share the malware samples' hashes, BleepingComputer was able to find a file that appears to be from this campaign. To determine the malware's capabilities, Securonix analysts extracted the payload's contents and examined the code functions with the 'pyinstxtractor' tool.
Among the features seen in version 1.6.0 of the PY#RATION RAT are the following:
- Perform network enumeration
- Perform file transfers from the breached system to the C2, or vice versa
- Perform keylogging to record the victim's keystrokes
- Execute shell commands
- Perform host enumeration
- Extract passwords and cookies from web browsers
- Steal data from the clipboard
- Detect anti-virus tools running on the host
The malware, according to Securonix researchers, "leverages Python's built-in Socket.IO framework, which provides features to both client and server WebSocket communication." This channel is utilized for communication as well as data exfiltration.
The benefit of WebSockets is that the malware can concurrently receive and send data from and to the C2 over a single TCP connection using network ports such as 80 and 443. The threat actors utilized the same C2 address ("169[.]239.129.108") throughout their campaign, from malware version 1.0 to 1.6.0, per the analysts.
The IP address has not been blocked on the IPVoid checking system, indicating that PY#RATION has gone undetected for several months.. Details about specific campaigns employing this piece of malware, as well as their targets, distribution volume, and operators, are currently unknown.
