Securonix cybersecurity researchers recently discovered new Python-based malware that can steal files and record keystrokes on compromised endpoints.
The malware, dubbed PY#RATION, is apparently in active development, with researchers noticing multiple versions as of August 2022. The malware uses the WebSocket protocol to connect to a command and control (C2) server, obtain instructions, and potentially extract sensitive data.
Securonix claims that the malware “takes advantage of Python’s built-in Socket.IO framework, which provides both client and server WebSocket communication capabilities.” Malware uses this channel to download data and receive commands. The advantage of WebSocket, the publication claims, is that it allows malware to receive and send data over a single TCP connection, through commonly open ports, at the same time.
The researchers also found that the attackers used the same C2 address all the time. Given that the address had not yet been blocked from the IPVoid check system, researchers assumed that PY#RATION had been under the radar for months.
PY#RATION’s features include network enumeration, file transfer to and from C2, keystroke logging, shell command execution, host enumeration, cookie exfiltration, browser password exfiltration, and clipboard stealing.
The attackers use the good old phishing email to distribute the malware. The email comes with a password protected .ZIP archive which, when unzipped, delivers two hash files designed to look like image files – front.jpg.lkn and back.jpg.lnk.
The filenames “front” and “rear” refer to the front and back of a non-existent driver’s license. If victims click the files, they will receive two additional files downloaded from the Internet – front.txt and back.txt. These are later renamed to .bat files and executed. The malware itself tries to disguise itself as Cortana, Microsoft’s virtual assistant, to discourage it from being removed from the system.
The group behind the malware, the size of the distribution and the purpose of the campaign are currently unknown.
Through: Beeping Computer (opens in a new tab)