PythonRatLoader: The Proprietor of XWorm and Friends

Authors: Adam Martin and Kian Buckley Maher

Introduction

The Cofense Phishing Defense Center (PDC) has uncovered a sophisticated attack that leveraged multiple layers of obfuscation and evasion techniques to distribute and execute VenomRAT. However, this attack campaign didn’t end with VenomRAT because the subsequently loaded plugin continued to deploy various types of malware into the victim’s environment.

Additionally, the PDC team recently identified a phishing campaign that uses multiple layers of evasion techniques to deploy various malware into an infected environment. This campaign is aimed at employees and poses as a customer requesting a service. The email uses urgent language to deceive a victim into clicking a malicious attachment, initiating a series of harmful activities, and deploying several types of malware. All the malware in this attack uses the same packing and obfuscation techniques. The deployed malware includes XWorm, VenomRAT, AsyncRAT, and DCRat. 

As illustrated in Figure 1, our initial threat vector is a download link to a “PDF” file purporting to be a general invoice, luring the potential victim into accessing the malicious URL. 

Figure 1 Initial Threat Vector

Once accessed, an internet shortcut file will be automatically downloaded to the default downloads directory. This shortcut file is used to navigate the victim to the remote server. This is possible because Windows Explorer permits browsing through the WebDAV protocol, which allows users to access, edit, and download from remotely hosted web servers.

Figure 2   Internet Shortcut File

The file:// URL points to a WebDAV service hosted via Cloudflare's tunneling system. By opening the shortcut, a user would have remote file access to the /Dev directory over SSL/TLS, as illustrated in Figure 2. 

While conducting this analysis, the base URL hosting the content was accessible, as per Figure 3. 

Figure 3 Hosted Malicious Directory

Once the shortcut file is accessed, the user will be prompted with a Network directory view. The “PDF” being displayed is, in fact, being accessed via the WebDav protocol on the hosted server rather than being hosted locally.

Figure 4 "PDF" File Download to Network Folder

 The “PDF” is really a PowerShell script which will do the following:

• Use PowerShell to download and execute a batch script from a remote server via a hidden command.Mad.
• Fetch the batch script from a Cloudflare-hosted URL (principles-yours-respected-skirt[.]trycloudflare[.]com), achieved using the same WebDAV Method as the first URL.
• Employ Invoke-Expression (iex) to run the batch file’s contents, achieving remote code execution.
• Use directory traversal and hidden window flags to evade detection.

Figure 5 Extracted script

This will prompt a download via msedge.exe for corn.bat, which is obfuscated with BatchShield, an open-source batch script obfuscator available on GitHub. The obfuscated version and deobfuscated version can be found in Figures 5 and 6, respectively. BatchShield uses a simple form of string obfuscation where % symbols and obfuscated characters replace meaningful batch script commands and variables. 

Breakdown:

1. The script looks for PDF files in the downloads folder and sets the first one it finds as the variable pdfFile.
2. Once a file is found, it opens the file using the start command.
3. The script then sets a URL for a ZIP file download (zipUrl) and a download location (destination).
4. Using PowerShell's Invoke-WebRequest, it attempts to download the ZIP file from the given URL to the specified location. In this case, the Python 312 folder is downloaded and hidden on AppData/Roaming. 

Figure 6 Obfuscated corn.bat

Figure 7 Decoded corn.bat

Breakdown: 

• PDF File Search: The script searches the user's downloads folder for any files with a .pdf extension, using a for loop to iterate over the found files.
• Variable Assignment: Upon finding a PDF file, it assigns the path of the first PDF file found to the variable pdfFile and immediately jumps to the openPdf label to execute the subsequent commands.
• Open PDF: The script prints a message indicating the PDF file is being opened and uses the start command to open the file with the default PDF viewer on the system.
• ZIP File Variables: It defines a URL (zipUrl) for a ZIP file to be downloaded and specifies a destination path (destination) in the downloads folder where the ZIP file will be saved.
• Download ZIP File: Using PowerShell, the script attempts to download the ZIP file from the specified URL and save it to the designated location, handling any potential errors during the download process with a try-catch block to exit if an error occurs.

The embedded Python payload contains a mix of standard Python dependencies along with three payload files, as per Figure 8. The ones of concern are xw.py, xo.py, and ch.py. 

Figure 8 Python 312 Payload

A new .bat file is downloaded, which contains all of the components necessary for a modular and multistage attack to take place. 

Figure 9 Update.bat used to run Python Payload

Update.bat breakdown: 

• The script checks if it's already running with a flag (MY_FLAG). If not, it restarts itself in a minimized window.
• It changes the working directory to a specific Python folder in downloads.
• It runs three Python scripts sequentially: ch.py (DCRAT), ex.py (VenomRAT), and xw.py (XWorm).
• It terminates the cmd.exe process to close the command window.

From here, we can analyze the running process of xw.py, the malicious Python script payload for XWorm. The script is heavily obfuscated using “KRAMER,” an open-source Python script obfuscator. When running the script in isolation, the command prompt will remain open, allowing us to analyze a snippet of the methodology used for shellcode injection as per Figure 10. 

Figure 10 Shellcode Injection

This is achieved through a process injection method known as Early Bird APC (asynchronous procedure queue) injection. In essence, the script creates a new process (Notepad.exe in this case) and injects the malicious code into it before the thread execution begins. This is done to evade antivirus detection due to the increased likelihood that antivirus software won’t detect this behavior so early in the application initialization phase.

From here, we can analyze the memory strings of xw.py to bypass some of the encryption and view its instructions at run time. 

Figure 11 Decrypted xw.py snippet

• Shellcode Decryption: The function rc4_decrypt is called with the encoded key and encrypted_data to obtain the decrypted shellcode.
• Memory Allocation: A mutable memory buffer is created using ctypes.create_string_buffer to store the decrypted shellcode.
• Memory Permission Adjustment: The VirtualProtect Windows kernel API call is used to change the memory permissions of the buffer to PAGE_EXECUTE_READWRITE, allowing execution of the shellcode.
• Shellcode Execution: The decrypted shellcode is cast to a callable function and executed.

Figure 12 Process Injection to Notepad.exe

Examining the memory strings of this process at runtime allows us to confirm that this sample makes an outbound connection request to an XWorm C2 along with string

references to XWorm. It’s worth noting that each Python script will execute and inject into an individual notepad.exe process. The related Notepad processes were seen to be DCRAT and VenomRAT. 

Figure 12 Spawned Notepad Processes

Figure 13 XWorm String Detected via YARA Rule Match

Figure 14 Confirmation of XWorm from xw.py 

Attack Flow

Conclusion

While the methods deployed in this attack are nothing new in the world of malicious loaders, the ways in which they are being utilized here shows an increased level of complexity. The use of several real/fake file types, along with silent PowerShell execution and significant obfuscation of code, gives PythonRATLoader the ability to enter victim systems and cause a serious level of damage to any organization infected before the attack can be caught and isolated by traditional endpoint monitoring, detection, and remediation systems. 

In our investigation we went into a deep dive on activity spawning from the ‘xw.py’ script, but the other two payloads will spawn their own version of the ‘Notepad.exe’ and inject different versions of shellcode by abusing the same APC Queue exploit, ‘ch.py’ will spawn a version of DCRAT and ‘ex.py’ will spawn a version of VenomRAT, each of these is incredibly destructive in its own way. 

The Cofense PDC recommends maintaining a high level of email security awareness among users to prevent attacks like this because the initial infection vector continues to be very well-crafted phishing emails that, through their perceived innocuous nature, lull users into a false sense of security. Once access is gained, detection and remediation become significantly more time-consuming and costly. 

It is important to teach users to be highly aware of any emails being received containing: 

• Unexpected ZIP/HTML/Office Doc files.
• URLs not used in regular day-to-day operations.
• Urgent, sympathetic, or threatening language.
• Differences in writing styles used by senders known to the user.
• Unusual/unexpected email addresses from free providers such as Gmail, Yahoo, and Yandex.
• Aliases that have no relation to the email address used or the context in which it was received.

These are common tactics used in malicious emails of any type, ranging from Malware to BEC (Business Email Compromise), and knowing how to recognize them can save an organization from serious damage. Suspicions of any kind should be reported to your security team immediately for awareness and remediation.

Teach your employees to spot these attacks and prevent them at the source with Cofense’s comprehensive suite of email Reporting and Response Tools, Phishing Simulations, and PhishMe Security Awareness Training (SAT.)

MITRE ATT&CK

PythonRATLoader 

XWorm

YARA Rule

strings:

$file1= “/usr/bin/python /tmp/ch.py”

$file2= “xterm -hold -e /usr/bin/python /tmp/ch.py”

$file3= “/usr/bin/python /tmp/xw.py”

$file4= “xterm -hold -e /usr/bin/python /tmp/xw.py”

$powershell1= “Invoke-WebRequest -Uri 'https://principles-yours-respected-skirt.trycloudflare.com/”

condition:

any of ($file*) or $powershell1

IOCs