Read Time:1 Minute, 59 Second

In a recent incident response analysis, GuidePoint Security has uncovered a sophisticated use of a Python-based backdoor by a threat actor affiliated with RansomHub. This development highlights a growing trend in ransomware tactics, where attackers leverage advanced programming techniques to maintain access to compromised networks.

Incident overview

During Q4 of 2024, GuidePoint Security detected that the threat actor utilized a Python backdoor to establish persistent access across compromised endpoints. Following this initial access, the attacker deployed RansomHub encryptors throughout the affected network, indicating a systematic approach to ransomware deployment. Notably, ReliaQuest had previously documented an earlier iteration of this malware in February 2024, suggesting an evolving threat landscape.

Key findings

The latest version of the Python backdoor exhibits several significant characteristics:

  • Obfuscation techniques: the malware employs obfuscation methods sourced from PyObfuscate.com, making detection more challenging for security tools.
  • Lateral movement via RDP: the threat actor executed lateral movement using Remote Desktop Protocol (RDP), allowing them to spread the malware across additional systems quickly.
  • Unique indicators of compromise (IoCs): GuidePoint identified specific IoCs, including filenames, scheduled task names, and command-and-control (C2) addresses. A total of 18 IP addresses associated with the C2 infrastructure have been documented and will be shared publicly on GitHub.

Deployment process

The deployment of the Python backdoor follows a structured five-step process:

Navigate to target directory:

Install Python:

Set Up PIP and required libraries:

Create proxy script:

Establish persistence with scheduled tasks:

This methodical approach indicates that the Python backdoor acts as a second-stage payload, likely maintained separately from the initial infection vector, which has been linked to SocGholish (FakeUpdate).

Technical analysis

The Python script functions as a reverse proxy connecting to a hardcoded IP address, establishing a SOCKS5-like tunnel for lateral movement within the compromised network. The analysis revealed that while previous versions of the script passed connection parameters as arguments, the obfuscated versions have these values hardcoded, enhancing their stealth capabilities. Notably, the coding style observed in the script suggests either meticulous human programming or potential AI-assisted code generation, characterized by high readability and robust error handling.

Conclusion

This incident underscores the ongoing evolution of ransomware tactics and highlights how affiliates like RansomHub are increasingly adopting sophisticated tools to evade detection and maintain persistence within compromised networks. As cyber threats continue to advance, organizations must remain vigilant and proactive in their cybersecurity measures.

Leave a Reply

Your email address will not be published. Required fields are marked *