Python-based malware targets Windows, linux, and macOS and is presumed to be used by dangerous password attack groups, also known as Crypto mimics.
This group has been active since June 2019 and employs various techniques to deliver malware to the victim’s machine.
JPCERT/CC released the latest article about attacks confirmed by the campaigns and shared their analysis report.
Targeting Windows
Since the attack vector of this campaign is unknown, the infection flow after the execution of the malware is similar to that of the Linkedin attack by this group.
Initially, the malware file builder.py of the Python module is delivered to the victim machine, which downloads additional malware once it gets executed by the user.
The malware downloads and runs additional MSI files externally using a Powershell script that is dropped after the execution.
The malware communicates with the C2 server every minute and is responsible for the download and execution of additional malware.
In addition, the secondary sample of the MSI file downloaded by the Powershell script encodes the user name, OS, process information, etc. of the infected device with BASE64 and sends it to the C2 server.
The flow of an attack in the Windows environment originating from Python malware
Also, it utilizes PythonHTTPBackdoor malware with simple commands to execute the attack, which has a function to detect the OS environment, and the commands executed are slightly different depending on the environment.
Linux and macOS :
In macOS and Linux environments, the builder.py file is decoded and saved as a log. tmp, and executed as a Python file.
The user ID and OS environment information are sent to the C2 server every minute and decoded with BASE64, saving it as tmp.py.
PythonHTTPBackdoor has ROT13-encoded git-related strings in the request string and generated file name, just like a log. tmp, which indicates that Git is used. You can see that it is targeting developers.
For example, the command id 501 is used to retrieve the network and process information, and 502 is used to execute the commands in Windows, Linux, and macOS machines.
Similarly, Mach-O malware JokerSPYand node.js malware are being used by this attack group to target the victims.
Indicator of compromise
118c1187c5b37ab9c4f9f39500d777c0a914c379d853439608157379dcb7177235b4550050748c54faad1e5883c281f29c08e817cc193432e7b9b43124a7962a575e852a1f24e84dacec9892042f2d2c1668bd836f9f5b03ed447f68caa7b612e0891a1bfa5980171599dc5fe31d15be0a6c79cc08ab8dc9f09ceec7a029cbdf2eea41eefdc11f9fb7607fc4ef90f76ef03b119eda8ee35ebff37b345f559e0e474c8a5ba3614cca1c48f34df73bfad753a95a67998485696391499d9bdba4301599f7365db421e4fe07a169309624e7e25d4f28cd1b101d340d54d66b6eb921528ac7bdd56a6e7ff515c6e0936db66c987e731482845dcd64a96af0f42fc95a56c6ab0083cf7edae7491e9c49b0cd9b4bb6b1fb61b5facf9ddb034ea69125f7a7b0fa9c724e7837da97dc9c48ba76b22759e514afc305d43e87a69fa9089d4c39bbc16028fd46bf4ddad49c21439504d3f6f42cccbd30945a2d2fdb4ce393a45fe1790667ee5085e73b054566d548eb4473c20cf962368dd53ba776e964227284bfc8c5bdba5b4eaa885af5e698382dd6baa0bf8da967c0716a0a6fce3e742a67a0f25a20954a353021bbdfdd531f7cc99c305c25fb03079f7abbc60e8a808137850b6a422479e95e9fb856f3541a36cfd753070e2d10c7362f328231af5370aa951c053baf011d08f3a60a10c1d09bbac32f332413db5b38b8737558a08dc16d3eff4e029db9d7b8dc076cfed5e2315fd54cb1ff9c6533954569f9e2397d4c951039bf66cdf436c240ef206ef7356b1f6c8fffc6cbe55286ec2792bf7fe16cd895075057e491b34b0f8c0392b44e43ade425d19eaaacea6ef8c5c9bd3487d86d3eff4e029db9d7b8dc076cfed5e2315fd54cb1ff9c6533954569f9e2397d4c951039bf66cdf436c240ef206ef7356b1f6c8fffc6cbe55286ec2792bf7fe16caa951c053baf011d08f3a60a10c1d09bbac32f332413db5b38b8737558a08dc1d895075057e491b34b0f8c0392b44e43ade425d19eaaacea6ef8c5c9bd3487d8
