![]() ![]() The advantage of WebSockets is that the malware can simultaneously receive and send data from and to the C2 over a single TCP connection using ports commonly left open in networks like 80 and 443. Securonix researchers say that the malware "leverages Python's built-in Socket.IO framework, which provides features to both client and server WebSocket communication." This channel is used for both communication and data exfiltration. ![]() Stealing data from Chrome, Brave, Opera, and Edge browsers (Securonix) Securonix's analysts extracted the payload's contents and examined the code functions using the 'pyinstxtractor' tool to determine the capabilities of the malware. While Securonix did not share the hash of the malware samples, BleepingComputer was able to find the following file that appears to be from this campaign: Detection rate for Py#Ration RAT (BleepingComputer) This helps the malware evade detection, and according to Securonix's tests, version 1.6.0 of the payload deployed undetected by all but one antivirus engine on VirusTotal. The more recent version is bigger because it features additional code (+1000 lines) and a layer of fernet encryption. This approach results in an inflated payload sizes, with version 1.0 (initial) being 14MB, and version 1.6.0 (latest) being 32MB. The malware delivered to the target is a Python RAT packed into an executable using automated packers like 'pyinstaller' and 'py2exe,' which can convert Python code into Windows executables that include all the libraries required for its execution. ![]() The campaign's complete infection chain (Securonix) Stealthy PY#RATION RAT ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |