Thursday, January 23, 2025
HomeCyber Security NewsWeaponized Python Scripts Deliver New SwaetRAT Malware

Weaponized Python Scripts Deliver New SwaetRAT Malware

Published on

SIEM as a Service

Follow Us on Google News

The Python script leverages low-level interactions with the Windows operating system, which imports crucial libraries like `System.Reflection`, `ctypes`, and `wintypes`, enabling it to directly invoke Windows APIs. 

It allows the script to manipulate system behavior at a fundamental level, potentially enabling actions like loading malicious payloads, modifying system settings, or evading security measures. 

It is necessary to conduct additional research into the script because it has the potential to engage in malicious activity, despite the fact that its current score on Virustotal is relatively low.

The script modifies system behavior by patching critical APIs: AmsiScanBuffer and EtwEventWrite, which involves overwriting the initial bytes of these functions with custom code. 

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

For 64-bit systems, the patch for EtwEventWrite consists of four bytes (0x48, 0x33, 0xc0, 0xc3), while for 32-bit systems, it’s five bytes (0x33, 0xc0, 0xc2, 0x14, 0x00), which aims to prevent the execution of the original API functions, hindering security mechanisms like the Antimalware Scan Interface (AMSI) and event logging through Event Tracing for Windows (ETW).

RAT capabilities 
RAT capabilities 

It extracts a Base64-encoded string and decodes it, as the decoded data is then used to load an assembly, which is most likely a .NET assembly as Assembly.Load is a function from the System.Reflection namespace is commonly used in .NET. 

After loading the assembly, the script creates an instance of the class specified by the EntryPoint property of the assembly. Finally, the script invokes the Invoke method on the EntryPoint of the assembly, effectively calling the entry point method of the loaded assembly. 

The first bytes of the payload can be used to identify the file format. In this case, the initial bytes “MZ” followed by a specific byte pattern indicate a Portable Executable (PE) file format. 

configuration can be easily extracted
configuration can be easily extracted

`base64dump.py` tool further confirms this by decoding the first 16 bytes, which repeat the string “GetModuleHandleA,” a function commonly used in Windows DLLs. 

The `file` command identifies the file as a PE32+ executable, implying it’s a 64-bit executable for the Microsoft Windows environment and that it’s a .Net assembly, which is a program written in a high-level language and compiled into a format that can be executed on the .Net runtime environment. 

Malware first copies itself to a disguised location and checks if it’s run from there. If so, it extracts the next stage payload and creates persistence by adding a registry key and a startup shortcut. 

According to Sans ICS, the next stage is a .NET binary that uses reflection to bypass whitelisting and decodes a hex string containing the final payload, which is another SwaetRAT itself, and the malware also copies itself to another location and its C2 server can be extracted from the configuration.  

Find this News Interesting! Follow us on Google NewsLinkedIn, and X to Get Instant Updates!

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Critical Vulnerability in Next.js Framework Exposes Websites to Cache Poisoning and XSS Attacks

A new report has put the spotlight on potential security vulnerabilities within the popular...

New Cookie Sandwich Technique Allows Stealing of HttpOnly Cookies

The "Cookie Sandwich Attack" showcases a sophisticated way of exploiting inconsistencies in cookie parsing...

GhostGPT – Jailbreaked ChatGPT that Creates Malware & Exploits

Artificial intelligence (AI) tools have revolutionized how we approach everyday tasks, but they also...

Tycoon 2FA Phishing Kit Using Specially Crafted Code to Evade Detection

The rapid evolution of Phishing-as-a-Service (PhaaS) platforms is reshaping the threat landscape, enabling attackers...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

GhostGPT – Jailbreaked ChatGPT that Creates Malware & Exploits

Artificial intelligence (AI) tools have revolutionized how we approach everyday tasks, but they also...

Tycoon 2FA Phishing Kit Using Specially Crafted Code to Evade Detection

The rapid evolution of Phishing-as-a-Service (PhaaS) platforms is reshaping the threat landscape, enabling attackers...

Microsoft Unveils New Identity Secure Score Recommendations in General Availability

Microsoft has announced the general availability of 11 new Identity Secure Score recommendations in...