Securonix researchers have discovered a Python-based RAT Trojan that gives its operators full control over compromised systems.
The experts named the Trojan PY#RATION. It uses the WebSocket protocol to communicate with the command and control (C2) server and to retrieve data from the victim host. The PY#RATION malware is distributed through a phishing campaign that uses password-protected ZIP archives containing two LNK tags disguised as front.jpg.lnk and back.jpg.lnk images.
When launching the shortcuts, the victim sees photos of the driver's license. At this time, malicious code is executed to communicate with C2 and download two TXT files "front.txt" and "back.txt", which are then renamed to BAT files to execute malware.
When launched, the malware creates the "Cortana" and "Cortana/Setup" directories in the user's temporary directory and then downloads, unpacks, and runs additional executable files from that location. Persistence is established by adding the "CortanaAssist.bat" batch file to the user's startup directory. The use of Cortana aims to disguise malware entries as system files.
PY#RATION is a Python-based RAT Trojan packaged into an executable using automatic packagers such as "pyinstaller" and "py2exe" that can convert Python code into Windows executables that include all the libraries required to execute it.
This approach results in an increase in payload size, which helps malware avoid detection.
Among the features of the PY#RATION RAT version are the following:
- network enumeration;
- transferring files from a compromised system to C2 or vice versa;
- execution of shell commands;
- enumeration of hosts;
- extracting passwords and cookies from browsers;
- theft of data from the clipboard;
- detection of antivirus tools on the device.
The use of the WebSocket protocol allows the Trojan to communicate with C2 over a single TCP connection using ports that are usually left open (80 and 443). At the moment, details about specific campaigns using this malware and its targets, distribution volume, and the operators behind it remain unclear.