Attacks on Windows by new stealthy Python RAT malware

The wild has spotted a new Python-based malware that allows remote access trojans (RATs) to gain control of the compromised systems.

Researchers at Securonix threat analysis company Securonix have given the new RAT the name PY#RATION. It uses WebSocket to communicate with C2 servers and exfiltrate victim hosts’ data.

The company has provided a technical report that explains how this malware functions. Researchers note that the RAT has been actively developing since they have seen several versions of the malware in the past eight months, when PY#RATION began.

Distribution through shortcut files

PY#RATION is distributed through a phishing campaign. It uses two ZIP files that contain password-protected shortcut.LNK file attachments disguised as images: front.jpg.lnk .

The shortcuts victim can see the driver’s license front and back when it is launched. Malicious code can also be executed to call the C2 (Pastebin later) and to download two files.TXT (front.txt and back.txt), which will eventually be renamed into BAT files in order to allow the malware execution.

The malware launches immediately and creates the directories ‘Cortana/Setup and ‘Cortana/Setup.’ It then runs additional executables from the temporary directory.

Persistence is established by adding a batch file (‘CortanaAssist.bat’) into the user’s startup directory.

Cortana is Microsoft’s Windows personal assistant. It aims to disguise malware files as system files.

Stealthy PY#RATION Rat

This malware is a Python RAT that was packed in an executable with automated packs like ‘pyinstaller and ‘py2exe’. These can transform Python code into executables for Windows, which include all required libraries.

The result is a large payload size. Version 1.0 (initial), was 14MB and version 1.6.0, 32MB. Because it includes additional code (+1 000 lines) as well as fernet encryption, the latest version is larger.

This allows the malware to evade detection. According to Securonix tests, the 1.6.0 version of the payload was not detected by any antivirus engines on VirusTotal.

Although Securonix didn’t share the hash for the malware samples with BleepingComputer, BleepingComputer found the following file which appears to have been from the campaign.

Securonix analysts extracted payload contents from the file and used the “pyinstxtractor” tool to examine the functions of code. This allowed them to identify the potential capabilities of the malware.

The following features are included in the version 1.6.0 PY#RATION Rat:

• Perform network enumeration
• File transfers can be made from the compromised system to the C2 or vice versa
• To record keystrokes of the victim, you can use keylogging
• Shell commands are executed
• Perform host enumeration
• Web browsers can be used to extract passwords and cookie information
• Copy data to the clipboard
• Anti-virus software running on your host is detected

the malware uses Python’s Socket.IO framework. This provides both client-server WebSocket communication features. This channel can be used to both communicate and exfiltrate data.

WebSockets have the advantage that malware can simultaneously send and receive data to and from the C2 via a single TCP connection. This is using common ports in network like 80 or 443.

Analysts noticed the use of the same C2 address by threat actors (“169[. The threat actors used the same C2 address (“169[.]239.129.108”) all through their campaign. This was from malware version 1.1.0 to 1.6.0.

Researchers claim that the IP was not blocked by the IPVoid system. This indicates that the PY#RATION went unnoticed for many months.

Details about the specific malware campaigns, its distribution volume and operators are still unknown.