Cyber Security News

Weaponized Python Scripts Deliver New SwaetRAT Malware

The Python script leverages low-level interactions with the Windows operating system, which imports crucial libraries like `System.Reflection`, `ctypes`, and `wintypes`, enabling it to directly invoke Windows APIs. 

It allows the script to manipulate system behavior at a fundamental level, potentially enabling actions like loading malicious payloads, modifying system settings, or evading security measures. 

It is necessary to conduct additional research into the script because it has the potential to engage in malicious activity, despite the fact that its current score on Virustotal is relatively low.

The script modifies system behavior by patching critical APIs: AmsiScanBuffer and EtwEventWrite, which involves overwriting the initial bytes of these functions with custom code. 

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

For 64-bit systems, the patch for EtwEventWrite consists of four bytes (0x48, 0x33, 0xc0, 0xc3), while for 32-bit systems, it’s five bytes (0x33, 0xc0, 0xc2, 0x14, 0x00), which aims to prevent the execution of the original API functions, hindering security mechanisms like the Antimalware Scan Interface (AMSI) and event logging through Event Tracing for Windows (ETW).

RAT capabilities RAT capabilities 
RAT capabilities

It extracts a Base64-encoded string and decodes it, as the decoded data is then used to load an assembly, which is most likely a .NET assembly as Assembly.Load is a function from the System.Reflection namespace is commonly used in .NET. 

After loading the assembly, the script creates an instance of the class specified by the EntryPoint property of the assembly. Finally, the script invokes the Invoke method on the EntryPoint of the assembly, effectively calling the entry point method of the loaded assembly. 

The first bytes of the payload can be used to identify the file format. In this case, the initial bytes “MZ” followed by a specific byte pattern indicate a Portable Executable (PE) file format. 

configuration can be easily extracted

`base64dump.py` tool further confirms this by decoding the first 16 bytes, which repeat the string “GetModuleHandleA,” a function commonly used in Windows DLLs. 

The `file` command identifies the file as a PE32+ executable, implying it’s a 64-bit executable for the Microsoft Windows environment and that it’s a .Net assembly, which is a program written in a high-level language and compiled into a format that can be executed on the .Net runtime environment. 

Malware first copies itself to a disguised location and checks if it’s run from there. If so, it extracts the next stage payload and creates persistence by adding a registry key and a startup shortcut. 

According to Sans ICS, the next stage is a .NET binary that uses reflection to bypass whitelisting and decodes a hex string containing the final payload, which is another SwaetRAT itself, and the malware also copies itself to another location and its C2 server can be extracted from the configuration.  

Find this News Interesting! Follow us on Google NewsLinkedIn, and X to Get Instant Updates!

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Attackers Exploit Microsoft Entra Billing Roles to Escalate Privileges in Organizational Environments

A startling discovery by BeyondTrust researchers has unveiled a critical vulnerability in Microsoft Entra ID…

18 hours ago

Threat Actors Exploit Google Apps Script to Host Phishing Sites

The Cofense Phishing Defense Center has uncovered a highly strategic phishing campaign that leverages Google…

19 hours ago

Dadsec Hacker Group Uses Tycoon2FA Infrastructure to Steal Office365 Credentials

Cybersecurity researchers from Trustwave’s Threat Intelligence Team have uncovered a large-scale phishing campaign orchestrated by…

19 hours ago

Beware: Weaponized AI Tool Installers Infect Devices with Ransomware

Cisco Talos has uncovered a series of malicious threats masquerading as legitimate AI tool installers,…

20 hours ago

Pure Crypter Uses Multiple Evasion Methods to Bypass Windows 11 24H2 Security Features

Pure Crypter, a well-known malware-as-a-service (MaaS) loader, has been recognized as a crucial tool for…

20 hours ago

Attackers Exploit Microsoft Entra Billing Roles to Escalate Privileges

A recent discovery by security researchers at BeyondTrust has revealed a critical, yet by-design, security…

20 hours ago