PY#RATION: New Python-based RAT Uses WebSocket for C2 and Data Exfiltration
Cybersecurity researchers have unearthed a new Python-based attack campaign that leverages a Python-based remote access trojan (RAT) to gain control over compromised systems since at least August 2022.
“This malware is unique in its utilization of WebSockets to avoid detection and for both command-and-control (C2) communication and exfiltration,” Securonix said in a report shared with The Hacker News.
The malware, dubbed PY#RATION by the cybersecurity firm, comes with a host of capabilities that allows the threat actor to harvest sensitive information. Later versions of the backdoor also sport anti-evasion techniques, suggesting that it’s being actively developed and maintained.
The attack commences with a phishing email containing a ZIP archive, which, in turn, harbors two shortcut (.LNK) files that masquerade as front and back side images of a seemingly legitimate U.K. driver’s license.
Opening each of the .LNK files retrieves two text files from a remote server that are subsequently renamed to .BAT files and executed stealthily in background, while the decoy image is displayed to the victim.
Also downloaded from a C2 server is another batch script that’s engineered to retrieve additional payloads from the server, including the Python binary (“CortanaAssistance.exe”). The choice of using Cortana, Microsoft’s virtual assistant, indicates an attempt to pass off the malware as a system file.
Two versions of the trojan have been detected (version 1.0 and 1.6), with nearly 1,000 lines of code added to the newer variant to support network scanning features to conduct a reconnaissance of the compromised network and concealing the Python code behind an encryption layer using the fernet module.
Other noteworthy functionalities comprise the ability to transfer files from host to C2 or vice versa, record keystrokes, execute system commands, extract passwords and cookies from web browsers, capture clipboard data, and check for the presence of antivirus software.
What’s more, PY#RATION functions as a pathway for deploying more malware, which consists of another Python-based info-stealer designed to siphon data from web browsers and cryptocurrency wallets.
The origins of the threat actor remain unknown, but the nature of the phishing lures posits that the intended targets could likely be the U.K. or North America.
“The PY#RATION malware is not only relatively difficult to detect, the fact that it is a Python compiled binary makes this extremely flexible as it will run on almost any target including Windows, OSX, and Linux variants,” researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said.
“The fact that the threat actors leveraged a layer of fernet encryption to hide the original source compounds the difficulty of detecting known malicious strings.”