Securonix researchers have uncovered new Python-based malware that may steal data and record keystrokes from compromised computers.
Researchers have discovered many variants of the virus, which they have dubbed PY#RATION, dating back to August 2022. WebSocket is used by the virus to communicate with the C2 server, receive commands, and steal information.
Security firm Securonix claims the virus “leverages Python’s built-in Socket.IO framework, which gives functionalities to both client and server WebSocket communication.” This channel is used by the virus to glean information and get instructions. WebSocket’s alleged benefit is that it enables malware to simultaneously receive and transmit data over a single TCP connection using frequently available ports, as stated in the paper.
The investigators also claimed that the attackers maintained a constant C2 address. Researchers speculated that PY#RATION went undetected for a long time because its IP address hadn’t been blacklisted by the IPVoid system.
PY#RATION’s features include, but are not limited to, network enumeration, file transfer to and from the C2, keylogging, shell commands execution, host enumeration, cookie exfiltration, password exfiltration from the browser, and clipboard data stealing.
Malware is being spread using email phishing, an old yet reliable method of infection. Attached to the email is a secure link that requires a password to open. When extracted, the ZIP file contains two shortcut files named front.jpg.lkn and back.jpg.lnk that are intended to appear like actual images.
Files labelled “front” and “back” suggest that they include images of the front and rear of a fake driver’s licence. By selecting the files, the victims will trigger the download of two further files, front.txt and back.txt, from the internet. They are converted to.bat files for use in programmes. To prevent itself from being removed, the spyware pretends to be Microsoft’s virtual assistant, Cortana.
The malware’s authors, the scale of its propagation, and their ultimate objective remain mysteries.
Subtly charming pop culture geek. Amateur analyst. Freelance tv buff. Coffee lover