Fraud Investigation Uncovers Python Malware

- The malware, identified as PY#RATION, is a remote access trojan (RAT) that utilizes WebSockets for command and control (C2) communications and data exfiltration, a less common method that helps it to bypass some network security measures. - To evade detection by antivirus software, PY#RATION employs Fernet encryption, a part of the Python cryptography package, to mask malicious strings that security tools would typically identify. - The initial infection vector for PY#RATION is a phishing email containing a password-protected ZIP file. Inside the archive are shortcut (.lnk) files disguised as images of a UK driver's license, which, when opened, initiate the malware download process. - This RAT has a wide range of capabilities, including logging keystrokes, stealing cookies and passwords from web browsers, accessing cryptocurrency wallets, and capturing clipboard data. - Another recently discovered Python-based attack utilized heavy obfuscation with tools like PyArmor and falsified metadata to conceal its operations. This malware was part of a layered attack that also involved the XWorm RAT and the Cobalt Strike framework. - The investigation into this separate incident began after a user reported strange black windows briefly appearing on their screen and unauthorized PayPal transfers, which were traced back to malicious PowerShell commands. - This malware was packaged using PyInstaller into an executable named "svchoss.exe" to mimic a legitimate Windows process, and it targeted autofill data from Chromium-based browsers, Firefox profiles, and cryptocurrency wallets. - The use of Python for malware is notable because it can be compiled to run on various operating systems, including Windows, macOS, and Linux, making it a flexible tool for attackers.