This new Python malware is going after Windows machines

Python
(Image credit: Shutterstock / dTosh)

Cybersecurity researchers from Securonix have recently discovered a new Python-based malware that’s capable of stealing files and logging keystrokes from affected endpoints.

Dubbed PY#RATION, the malware is apparently being actively developed, with the researchers spotting multiple versions since August 2022. The malware uses the WebSocket protocol to reach out to the command & control (C2) server, get instructions, and potentially extract sensitive data. 

Securonix say the malware "leverages Python's built-in Socket.IO framework, which provides features to both client and server WebSocket communication." The malware uses this channel to pull data and receive commands. The advantage of WebSocket, the publication claims, is that it allows the malware to receive and send data over a single TCP connection, via commonly open ports, at the same time.

<a href="https://project.tolunastart.com/tqsruntime/main?surveyData=Q0+ZHk1v+seerVJPB3MBeiu8DEMDIBDHisYB81cDeXB+Tl4/OZ5giQDtZEDgULgE" data-link-merchant="project.tolunastart.com"">TechRadar Pro needs you! We want to build a better website for our readers, and we need your help! You can do your bit by filling out <a href="https://project.tolunastart.com/tqsruntime/main?surveyData=Q0+ZHk1v+seerVJPB3MBeiu8DEMDIBDHisYB81cDeXB+Tl4/OZ5giQDtZEDgULgE" data-link-merchant="project.tolunastart.com"" data-link-merchant="project.tolunastart.com"">our survey and telling us your opinions and views about the tech industry in 2023. It will only take a few minutes and all your answers will be anonymous and confidential. Thank you again for helping us make TechRadar Pro even better.

D. Athow, Managing Editor

Multiple features

The researchers also said that the attackers used the same C2 address all this time. Given that the address is yet to be blocked on the IPVoid checking system, the researchers assumed that PY#RATION was flying under the radar for months. 

PY#RATION’s features include, among others, network enumeration, file transfer to and from the C2, keylogging, shell commands execution, host enumeration, cookies exfiltration, the exfiltration of passwords stored in the browser, and clipboard data theft.

To distribute the malware, the attackers are using the good old phishing email. The email comes with a password-protected .ZIP archive which, when unpacked, delivers two shortcut files, designed to look like image files - front.jpg.lkn, and back.jpg.lnk.

The “front” and “back” file names refer to the front and the back of a non-existent driver’s license. If the victims click the files, they’ll get two more files downloaded from the internet - front.txt and back.txt. These are later renamed to .bat files and executed. The malware itself tries to disguise itself as Cortana, Microsoft’s virtual assistant, to discourage its removal from the system.

The group behind the malware, the distribution volume, and the goal of the campaign, are all unknown at this time.

Via: BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.