By GoldSparrow in Remote Administration Tools

Threat Scorecard

Threat Level: 80 % (High)
Infected Computers: 13
First Seen: December 15, 2015
Last Seen: July 28, 2019
OS(es) Affected: Windows

Pupy is a recently released Remote Access Tool (RAT). One of the characteristics of Pupy that makes it unique is that Pupy can operate as an in-memory process, not requiring an actual file on the computer. Pupy is also particularly effective because Pupy can operate on most major operating systems, including Windows, Mac OS and Linux. This means that Pupy has an enormous potential as a hacking tool and a possible vehicle for devastating threat attacks.

Revealing Pupy’s Harmful Deeds

Pupy was released in September of 2015. Pupy is written entirely in Python and is compatible across platforms. This makes Pupy especially adaptable. Its operation mode in memory makes Pupy a particularly intriguing tool. Although compatible with the three major operating systems, Pupy is most effective on Windows variants, where it can function completely in memory. The way Pupy does this is by containing its payload in a reflective DLL file, which includes an entire interpreter for the Python language in the targeted computer's memory, meaning that Pupy ever has to go through the targeted computers hard drives.

How Pupy’s Unique Features Make It an Effective RAT

The fact that Pupy can carry out its operations without ever dropping a file on the targeted PC's hard drive means that Pupy is much more difficult to detect by most anti-virus programs than file-based RATs. It also means that Pupy has various additional opportunities to collect data or intercept communications that may not be available to other types of RATs. Apart from the features that make it most attractive, Pupy is also structured in modules. This means that Pupy can be delivered in a basic, stripped-down form, and then load modules depending on what's needed in a particular case. This means that Pupy's approach can be highly diversified to carry out very specific operations on different types of computers.

There are several known operations and modules that have been linked to Pupy. Some of these modules allow Pupy to migrate into other memory processes on the affected operating system. Pupy also can make its modules run in the background, use rootkit techniques, provide interaction with a third-party, and even auto-complete different types of commands. Using Pupy, a third-party can upload or download data from the targeted computer. Pupy also can be used to take screenshots of the affected screen, take over the affected computer's Webcam to take pictures or make videos, create a backdoor on the affected computer, log keyboard and mouse movements or input, and execute code remotely. Essentially, Pupy allows almost unrestricted access to the affected computer.

Pupy: What’s Next for This RAT?

Pupy bots connect to their main server SSL by default, but it seems that it also supports other communication forms. Pupy communicates using Python files or compiled Python C extensions. This is one additional issue that makes computer researchers worry about the future of Pupy: it's integrated Python interpreter makes it easily accessible because Python is considered one of the easier entry level programming languages and one of the most widespread. Pupy's source code is also freely available on Github and, from its project notes, it seems that there is now work being done on supporting additional communication channels, recording network traffic, and allowing Pupy to use the affected computers' microphones to record sound. Work is also being done on making Pupy harder to detect and leave less of a footprint on certain computers. There is no question about it; Pupy is one of the most important hacking tools that have come to the scene in recent years and it'll be important to keep track of its development.


Most Viewed