New Python-based malware has been spotted in the wild with Remote Access Trojan (RAT) capabilities to give its operators control over hacked systems.
Named PY#RATION by researchers at threat analytics firm Securonix, the new RAT uses the WebSocket protocol to communicate with the command and control (C2) server and to exfiltrate data from the victim host.
A technical report from the company analyzes how the malware works. The researchers note that the RAT is being actively developed as they have seen several versions of it since August, when the PY#RATION campaign began.
Distribution via shortcut files
The PY#RATION malware is distributed via a phishing campaign that uses password-protected ZIP file attachments containing two .LNK shortcuts disguised as images, namely front.jpg.lnk and back.jpg.lnk.
When launched, the victim of the hotkeys sees the front and back of a driver’s license. However, malicious code is also executed to contact the C2 (Pastebin in later attacks) and download two .TXT files (‘front.txt’ and ‘back.txt’) which are eventually renamed to BAT files to allow execution malware.
Upon launch, the malware creates the “Cortana” and “Cortana/Setup” directories in the user’s temporary directory, then downloads, unpacks, and runs additional executables from this location.
Persistence is established by adding a batch file (‘CortanaAssist.bat’) to the user’s startup directory.
The use of Cortana, Microsoft’s personal assistant solution on Windows, aims to disguise malware entries as system files.
Stealth RAT PY#RATION
The malware delivered to the target is a Python RAT compressed into an executable using automated packers such as ‘pyinstaller’ and ‘py2exe’, which can convert Python code into Windows executables that include all the libraries needed to run it .
This approach results in inflated payload sizes, with version 1.0 (initial) being 14MB and version 1.6.0 (latest) being 32MB. additional code (+1000 lines) and a layer of fernet encryption.
This helps the malware evade detection and, according to Securonix testing, the payload version 1.6.0 deployed undetected by all but one antivirus engine on VirusTotal.
Although Securonix did not share the hash of the malware samples, BleepingComputer was able to find the following file which appears to be from this campaign:
Securonix analysts extracted the contents of the payload and examined the functions of the code using the “pyinstxtractor” tool to determine the malware’s capabilities.
Among the features seen in version 1.6.0 of the PY#RATION RAT, we find the following:
- Perform network enumeration
- Perform file transfers from the hacked system to the C2, or vice versa
- Perform keylogging to record victim keystrokes
- Execute shell commands
- Perform host enumeration
- Extract passwords and cookies from web browsers
- Steal clipboard data
- Detect anti-virus tools running on the host
According to Securonix researchers that the malware “leverages Python’s built-in Socket.IO framework, which provides functionality for client and server WebSocket communication”. This channel is used for both communication and data exfiltration.
The advantage of WebSockets is that the malware can simultaneously receive and send data to and from the C2 over a single TCP connection using ports typically left open in networks such as 80 and 443.
Analysts have noticed that threat actors use the same C2 address (“169[.]239.129.108”) throughout their campaign, from malware version 1.0 to version 1.6.0.
According to the researchers, the IP address was not blocked on the IPVoid verification system, indicating that PY#RATION has not been detected for several months.
At this time, details about the specific campaigns using this malware and its targets, distribution volume and operators behind it remain unclear.
Securonix published a separate article where they list the IoCs (indicators of compromise) for the PY#RATION campaign.