Growing use of Python Malware hints at malware authors development
In 2018, there have already been several instances of Python-written components of malware. This was a developing trend across 2017 and is widely seen as either lower level actors trialing their hand at malware development or proof of concepts. However, recent developments seem to suggest that the threat landscape has surpassed just lower level actor’s use of Python, with examples of the language becoming much more commonplace.
PyCryptoMiner was the first example of this development in 2018. Identified by F5 Labs, the crypto miner had recently been developed to include leveraging CVE-2017-12149 on J-Boss servers. Initially it used dictionary and brute force attacks against SSH login credentials of target Linux systems, deploying a base64-encoded Python script designed to connect to the C&C server. The additional payloads were also written in Python code.
Palo Alto also identified a Python-based malware, dubbed “PowerStager”. Thematically, Python-based malware often targets Linux systems, most likely due to the development environments the malware was used in. However, PowerStager generates Windows executables and then launches PowerShell scripts in order to execute a shellcode payload. It also had several configuration options, suggesting the authors were much more organised, and potentially skilled, than previously seen.
The targeting of a Brazilian management institution by two different versions of CannibalRAT written in Python also highlights an example were potentially more skilled actors have switched to using Python. The code targeted INESAP users and given its sole targeting of Brazil and use of obfuscation, Talos suggested it could have been for cyberespionage purposes.
It is noted that most malware making use of Python scripts rely on other languages for increased functionality. The latest example, a backdoor identified by Alien Vault, found 50% of the code was written in Python. However, the language’s ubiquitous use in malware development is an increasing trend and perhaps most poignantly seen in the GitHub DDoS random note. According to CyberReason, the note was written in a line of Python code that repeated multiple times.
Historically, Python-based malware was an indication of the lower skilled actors, as Python is viewed as a gateway language to learn coding. However, with more groups leveraging the scripts in successful operations, this arguments seems harder to sustain.