PyFlash

The PyFlash Trojan backdoor is a new hacking tool in the arsenal of the Turla hacking group that is written in the Python programming language. The Turla hacking group originates from Russia and has claimed numerous victims throughout the years. Researchers believe that the Turla hacking group is targeting high-ranking Armenian politicians in its latest campaign.

According to reports, the Russian hacking group has managed to compromise two government websites and two pages that belong to a popular organization in Armenia. This latest campaign utilizes the so-called ‘watering hole’ technique. This means that the Turla hacking group plants fake Adobe Flash Player updates on the compromised websites and attempts to bait government officials into installing the bogus update.

However, officials who fall for this trick and apply the fake update will allow the Turla hacking group to compromise their system. The first-stage payload in this campaign is the NetFlash Trojan downloader, which makes sure to fetch the secondary payload – the PyFlash Trojan backdoor. The NetFlash downloader also will download the genuine ‘py2exe’ tool, which serves to convert the Python code into Windows executables. The PyFlash script is launched on the infected Windows device with the help of the ‘py2exe’ utility.

Upon launching, the PyFlash Trojan backdoor will establish a connection with its operators’ C&C (Command & Control) server. The PyFlash threat will receive commands from the C&C server in question. The traffic between the Trojan and the C&C server is encrypted securely. The PyFlash Trojan backdoor allows the attackers to:

• Execute Windows commands.
• Transfer the result of the executed commands to the attackers’ C&C server.
• Download and plant additional malware via a URL.
• Execute the threat every ‘X’ minutes by using the Windows Task Scheduling tool.
• Remove the threat from the compromised device.

Many users may not notice that there is anything wrong with their system because the ‘watering hole’ technique means that a real Adobe Flash Player installer will be launched, making it seem that there is no issue at all. Users need to be careful when installing updates. Cybersecurity experts advise users only to download and install updates from the official website of the utility’s vendors.