PY#RATION RAT
A new attack campaign has been caught in the wild. The threatening operation uses a novel Python-based malware dubbed the PY#RATION RAT. As is typically the case with these Remote Access Trojans (RATs), PY#RATION has a comprehensive set of harmful capabilities, including data exfiltration and keylogging. What makes this threat particularly unique is its use of WebSockets for both Command-and-Control (C2, C&C) communication and exfiltration, as well as its ability to evade detection from anti-malware solutions and network security measures.
The details about the PY#RATION RAT have been revealed in a report by cybersecurity researchers. According to their findings, the cybercriminals behind the threat are focused mostly on targets in the U.K. or North America, judging by the phishing lures used as part of the attack.
The Attack Chain of PY#RATION
The attack begins with a deceptive phishing email containing a ZIP archive. Inside the archive are two shortcuts (.LNK) files, posing as the front and back images of a supposedly genuine U.K. driver's license. Upon opening each of these .LNK files, two text files are retrieved from a remote server and then saved as .BAT files.
While the victim is shown the decoy images, the harmful files are executed silently in the system's background. Additionally, another batch script is downloaded from the C2 server that obtains other payloads, including a Python binary named 'CortanaAssistance.exe.' The use of Cortana, Microsoft's virtual assistant, implies that the attackers may have attempted to disguise their corrupted code as a legitimate system file.
PY#RATION RAT's Hurtful Capabilities
Two PY#RATION Trojan versions have been detected (version 1.0 and 1.6). The newer version includes nearly 1,000 lines of additional code, which adds network scanning features to examine compromised networks and an encryption layer over the Python code using the fernet module. In addition, the threat can transfer files from the breached host to its C2 server and the other way around.
The RAT can begin to record keystrokes, execute system commands, extract passwords and cookies from Web browsers, capture clipboard data and detect the presence of security software. The threat actors can utilize PY#RATION as a gateway for deploying the payloads of other threats, such as another Python-based info-stealer explicitly created to harvest data from Web browsers and cryptocurrency wallets.
