PY#RATION RAT Uses Unique C2 Approach - PC Users Beware!

Security researchers have identified a new cyber attack using a Python-based Remote Access Trojan (RAT) back in August 2022. According to Securonix, the malware, referred to as PY#RATION, is unique with its usage of WebSockets for command and control communication and data exfiltration.

The phishing emails used for this attack contain ZIP archives which contain two .LNK files that are disguised as U.K. driver's license images. When each of the links are opened, two text files are downloaded from a remote server and renamed as .BAT files while executing in the background while displaying a fake image.

Furthermore, another batch script is retrieved from a C2 server to download additional payloads such as CortanaAssistance.exe which is used to attempt to disguise the malware as a system file. Two versions of this trojan have been identified (1.0 and 1.6) with almost 1000 lines of code added in the newer version to support network scanning features and encryption using Fernet module. The capabilities include transferring files, recording keystrokes, executing system commands, extracting passwords/cookies from web browsers, capturing clipboard data and checking for antivirus software presence.

This also serves as a pathway for deploying additional malware such as an info-stealer designed to acquire information from web browsers and cryptocurrency wallets. Although the origin of the threat actor remains unknown, it is believed that the intended targets may be located in U.K or North America judging by the phishing lures.

What are backdoors that malware like PY#RATION uses to compromise a system?

Backdoors are malicious programs that allow attackers to gain access to a system without the user's knowledge or permission. Malware like PY#RATION typically uses backdoors to compromise a system by exploiting vulnerabilities in the operating system, applications, or network protocols.

Common backdoor techniques include using remote access tools such as Remote Desktop Protocol (RDP), creating hidden accounts with administrative privileges, and using malicious scripts to execute commands on the target machine. Backdoors can also be used to bypass authentication mechanisms and gain access to sensitive data. Additionally, backdoors can be used to install additional malware on the compromised system, allowing attackers to further expand their control over the victim's machine.

Why are remote access trojan like PY#RATION a major security issue for any victim?

Remote access trojans like PY#RATION are a major security issue for any victim because they allow attackers to gain access to a system without the user's knowledge or permission. This type of malware can exploit vulnerabilities in the operating system, applications, or network protocols to bypass authentication mechanisms and gain access to sensitive data.

Additionally, backdoors can be used to install additional malware on the compromised system, allowing attackers to further expand their control over the victim's machine. This means that an attacker could potentially have complete control over a victim's computer, including accessing personal information such as passwords and financial data. Furthermore, remote access trojans can be used to launch distributed denial-of-service (DDoS) attacks against other systems or networks, making them even more dangerous.

As such, it is important for users to take steps to protect themselves from these types of threats by using strong passwords and keeping their systems up-to-date with the latest security patches.