Cyber Security News

Weaponized Python Scripts Deliver New SwaetRAT Malware

The Python script leverages low-level interactions with the Windows operating system, which imports crucial libraries like `System.Reflection`, `ctypes`, and `wintypes`, enabling it to directly invoke Windows APIs. 

It allows the script to manipulate system behavior at a fundamental level, potentially enabling actions like loading malicious payloads, modifying system settings, or evading security measures. 

It is necessary to conduct additional research into the script because it has the potential to engage in malicious activity, despite the fact that its current score on Virustotal is relatively low.

The script modifies system behavior by patching critical APIs: AmsiScanBuffer and EtwEventWrite, which involves overwriting the initial bytes of these functions with custom code. 

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

For 64-bit systems, the patch for EtwEventWrite consists of four bytes (0x48, 0x33, 0xc0, 0xc3), while for 32-bit systems, it’s five bytes (0x33, 0xc0, 0xc2, 0x14, 0x00), which aims to prevent the execution of the original API functions, hindering security mechanisms like the Antimalware Scan Interface (AMSI) and event logging through Event Tracing for Windows (ETW).

RAT capabilities RAT capabilities 
RAT capabilities

It extracts a Base64-encoded string and decodes it, as the decoded data is then used to load an assembly, which is most likely a .NET assembly as Assembly.Load is a function from the System.Reflection namespace is commonly used in .NET. 

After loading the assembly, the script creates an instance of the class specified by the EntryPoint property of the assembly. Finally, the script invokes the Invoke method on the EntryPoint of the assembly, effectively calling the entry point method of the loaded assembly. 

The first bytes of the payload can be used to identify the file format. In this case, the initial bytes “MZ” followed by a specific byte pattern indicate a Portable Executable (PE) file format. 

configuration can be easily extracted

`base64dump.py` tool further confirms this by decoding the first 16 bytes, which repeat the string “GetModuleHandleA,” a function commonly used in Windows DLLs. 

The `file` command identifies the file as a PE32+ executable, implying it’s a 64-bit executable for the Microsoft Windows environment and that it’s a .Net assembly, which is a program written in a high-level language and compiled into a format that can be executed on the .Net runtime environment. 

Malware first copies itself to a disguised location and checks if it’s run from there. If so, it extracts the next stage payload and creates persistence by adding a registry key and a startup shortcut. 

According to Sans ICS, the next stage is a .NET binary that uses reflection to bypass whitelisting and decodes a hex string containing the final payload, which is another SwaetRAT itself, and the malware also copies itself to another location and its C2 server can be extracted from the configuration.  

Find this News Interesting! Follow us on Google NewsLinkedIn, and X to Get Instant Updates!

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Open Source Linux Firewall IPFire 2.29 – Core Update 194 Released: What’s New!

IPFire, the powerful open-source firewall, has unveiled its latest release, IPFire 2.29 – Core Update…

2 hours ago

Threat Actors Leverage DDoS Attacks as Smokescreens for Data Theft

Distributed Denial of Service (DDoS) attacks, once seen as crude tools for disruption wielded by…

2 hours ago

20-Year-Old Proxy Botnet Network Dismantled After Exploiting 1,000 Unpatched Devices Each Week

A 20-year-old criminal proxy network has been disrupted through a joint operation involving Lumen’s Black…

2 hours ago

“PupkinStealer” – .NET Malware Steals Browser Data and Exfiltrates via Telegram

A new information-stealing malware dubbed “PupkinStealer” has emerged as a significant threat to individuals and…

3 hours ago

Phishing Campaign Uses Blob URLs to Bypass Email Security and Avoid Detection

Cybersecurity researchers at Cofense Intelligence have identified a sophisticated phishing tactic leveraging Blob URIs (Uniform…

3 hours ago

VMware Tools Vulnerability Allows Attackers to Modify Files and Launch Malicious Operations

Broadcom-owned VMware has released security patches addressing a moderate severity insecure file handling vulnerability in…

5 hours ago