Threat Research

Emerging Threat: Understanding The PySilon Discord RAT’s Versatile Features – Cyble

Securonix

Key Takeaways

  • Cyble Research and Intelligence Labs (CRIL) has observed the usage of an open-source PySilon RAT by multiple threat actors (TAs).
  • The presence of over 300 samples on VirusTotal since June 2023 suggests a significant surge in the PySilon malware’s activity.
  • PySilon RAT was first established in December 2022 as version 1.0 and has since evolved to its current iteration, version 3.6.
  • The current version boasts advanced malware capabilities, including its ability to record keystrokes, steal sensitive information, capture screen activity, execute remote commands, and perform additional functions.
  • CRIL has also detected numerous samples that imitate software, tools, and cracks suspecting their origin from phishing websites, free software downloading websites, etc.

Overview

Threat Actors (TAs) resort to open-source malware available on platforms like GitHub due to its convenience, advanced functionalities, and adaptability. CRIL has recently come across multiple instances of PySilon RAT, an open-source malware. It has been noted that over 300 samples of this malware have been reported on VirusTotal since June 2023. The upward trend in these samples suggests a growing usage of PySilon RAT.

Figure 1 Rise of PySilon RAT Stats Source VirusTotal
Figure 1- Rise of PySilon RAT (Stats Source- VirusTotal)

On September 13th, CRIL came across a PyInstaller file named “Adobe Photoshop.exe” on VirusTotal. We presume that this executable comes from a phishing website. After conducting an analysis, it was noticed that the PyInstaller malware executable was created utilizing an open-source GitHub project known as “PySilon,” a Remote Access Trojan (RAT).

Figure 2 – PySilon RAT with Adobe Photoshop Icon
Figure 2 – PySilon RAT with Adobe Photoshop Icon

The PySilon project (PySilon v1.0), featuring basic malware capabilities, was originally posted on GitHub in early December 2022. PySilon v3.6, the most recent version, was released at the end of August 2023, boasting advanced malicious functionalities.

Figure 3 PySilon malware Icon
Figure 3 – PySilon malware icon

The malware created using the PySilon builder was initially identified by NeikiAnalytics approximately one month ago, as shown below.

Figure 4 – First discovery of PySilon RAT executable in VirusTotal
Figure 4 – First discovery of PySilon RAT executable in VirusTotal

During the time of our analysis, FalconFeedsio also posted a Twitter message indicating that a forum user was endorsing the “PySilon Malware.” Additionally, we have identified numerous samples that mimic software, tools, and cracks suspecting that they were downloaded from phishing websites, free software downloading sites, etc. The malware files generated using the PySilon builder utilize file names, which include:

  • WinSecureInstaller.exe
  • VF_V2  Visual efects + fps unlocker.exe
  • Adobe Photoshop.exe
  • Synapse Launcher.exe         
  • Windows Defender.exe
  • cmdassist.exe
  • WindowsUpdate.exe
  • Chromedriver.exe
  • Windows-MSDEV-v1.8-nonUWPapp.exe
  • nitrogen+checker.exe

Technical analysis

Builder

The following figure shows the PySilon builder package. Upon running the “PySilon.bat” file, it launches a GUI that provides users with the ability to create a customized PySilon RAT binary and subsequently save it to the “dist” folder. The “resources” folder comprises multiple Python scripts, each dedicated to a specific functionality of the RAT malware.

Figure 5 PySilon malware package version 3.6
Figure 5 – PySilon malware package version 3.6

The PySilon RAT builder enables TAs to create a customized malicious binary file with the desired functionalities for their malware. The image depicted below displays the GUI of the PySilon builder, showing a range of options for constructing a binary file.

Figure 6 PySilon builder GUI
Figure 6 – PySilon builder GUI

PySilon RAT (Remote Access Trojan)

This is an advanced RAT coded in the Python programming language, designed for complete control via Discord, featuring a specialized GUI builder. As per the information provided by the developers on GitHub, this PySilon RAT encompasses a wide range of functionalities, which include:

  • Bypassing UAC to obtain Administrative permissions upon startup.
  • Anti-VM measures, preventing execution on virtual machines (e.g., VirtualBox, VMWare).
  • Running CMD commands for remote control.
  • Process management, including browsing and termination.
  • Extraction of browser history, cookies, and saved passwords.
  • Collection of Discord tokens and system information.
  • Wi-Fi password theft.
  • File browsing on the target PC.
  • Keystroke logging for capturing every keyboard input.
  • Manipulation of copied cryptocurrency wallet addresses.
  • Capture screenshots and record the screen as per preference.
  • Webcam image capture capability.
  • Continuous microphone recording saved in .wav files.
  • Live microphone streaming to a voice channel.
  • Mouse and keyboard control, including the ability to block them.
  • File execution functionality.
  • Upload and download files from the target PC.
  • Ability to trigger a Blue Screen of Death.
  • Execution of a fork bomb to crash the PC.
  • Ability to manage multiple PCs, not limited to just one.

PySilon Functionalities

The PySilon project comprises multiple Python files designed to perform malicious activities, as outlined in the sections below.

UAC Bypass

The PySilon project contains a python file named “uac_bypass.py” which attempts to bypass Windows User Account Control (UAC) security feature.

  • It includes a UACbypass function that checks if it’s running with admin privileges, tries two UAC bypass methods involving registry modifications and executing system commands to query event logs related to Windows Defender, and recursively calls itself upon success.
  • The IsAdmin function checks if the user has admin rights using ctypes.
  • The GetSelf function determines if the script is an executable or a script file.
Figure 7 UAC Bypass
Figure 7 – UAC Bypass

Anti-VM/Anti-Debug Check

The developer of this project employed a python file named “protections.py,” which provides a basic security check to detect potential signs of virtualization, debugging environments, or the presence of specific blacklisted processes on a Windows system as shown in Figure 8. If any of these elements are detected, it terminates the malware process.

Figure 8 Anti VM Anti Debug
Figure 8 – Anit-VM/Anti-Debung

Keylogger

The Python script named “keylogger.py” within the PySilon project combines a keylogger with a Discord bot client, potentially serving malicious purposes while handling keylogging activities. It imports various libraries, including one for keyboard monitoring and another for capturing screenshots.

  • The code listens for keypresses with the Listener, and it attempts to run multiple Discord bot clients with decoded tokens. This keylogger function is initiated with listener.join().
  • The on_press function serves as the keylogger, processing keypress events and mapping special keys to descriptive labels. When the Enter key is pressed, the accumulated text is sent as a message to the Discord bot’s main channel.
  • If the Print Screen key is pressed, a screenshot is captured and scheduled for sending it via discord channel.
Figure 9 Keylogger
Figure 9 – Keylogger

Grabber

Another python script of the project named “grabber.py,” is responsible for discreetly collecting sensitive data. It responds to commands sent via a Discord bot, initiating various data-gathering operations on the victim’s machine.

The commands include:

  • ‘.grab passwords’ for capturing saved passwords.
  • ‘.grab history’ for collecting browser histories.
  • ‘.grab cookies’ for grabbing browser cookies.
  • ‘.grab wifi’ for extracting Wi-Fi network passwords.
  • ‘.grab discord’ for retrieving Discord account-related data.

These collected details are presented within Discord channels in different formats, such as messages and file attachments.

Figure 10 Grabber
Figure 10 – Grabber

Crypto-Clipper

The developer of the project used a python script “crypto_clipper.py,” which serves as part of a malicious tool referred to as a “Crypto Clipper,” designed to operate as a Discord bot and respond to specific commands related to clipboard manipulation. When a TA issues the ‘.start-clipper’ command, the script checks whether the Crypto Clipper is already running, and if not, initializes it.

The Clipper monitors the clipboard content for cryptocurrency wallet addresses, attempting to replace them with different addresses controlled by TAs. It reads cryptocurrency addresses from a JSON file, employs regular expressions to identify addresses in the clipboard, and operates within a separate thread for continuous monitoring.

The script includes logging comments to document various actions and events. When successfully started, it sends a message to the Discord channel, indicating that the Clipper is active. Conversely, the ‘.stop-clipper’ command stops the Clipper.

Figure 11 Crypto Clipper
Figure 11 – Crypto Clipper

Get Cookies

The Python script named “get_cookies.py,” is designed to automate the extraction and decryption of browser cookies from various web browsers installed on a Windows system such as Kometa, Orbitum, Cent-Browser, 7star, Sputnik, Vivaldi, Google-Chrome-SxS, Google-Chrome, Epic-Privacy-Browser, Microsoft-Edge, Uran, Yandex, Brave, Iridium, Opera, and Opera-GX.

The script defines a class called Browsers that identifies running browser processes and terminates them to ensure safe access to their data. It then attempts to retrieve the master encryption key used to protect stored passwords and cookies from each browser’s data directory. The script iterates through supported browsers and profiles, decrypts the stored cookies, and writes them to a “cookies.txt” file as shown below.

Figure 12 Get Cookies
Figure 12 – Get Cookies

Discord Token Grabber

The “discord_token_grabber.py,” python script is designed for the extraction and potential uploading of Discord user tokens and related information from various Discord-related directories and files on a Windows system. The script defines classes including:

  • The grab_discord class serves as an entry point for initializing and uploading Discord tokens and related data.
  • The extract_tokens class of the script scans multiple Discord-related directories, extracts tokens from specific files using regular expressions, and decrypts them using a master encryption key. It validates these tokens by making API requests to Discord.
  • The fetch_tokens class retrieves and prepares token-related data, including user details, billing information, associated guilds, and gift codes, either in the form of JSON objects, depending on a raw_data parameter.
Figure 13 Discord Token Grabber
Figure 13 – Discord Token Grabber

Capture image using Webcam

The script “webcam.py” of the PySilon project integrates with Discord to enable TAs to capture photos using victim computer’s webcam in response to specific Discord commands.

  • If the command is just “.webcam,” it provides usage instructions and reply with a red emoji.
  • If the command includes “.webcam photo,” the script initializes the webcam using Pygame, captures an image, saves it to the victim’s computer, and sends the image as an Discord message with a timestamp.

If no cameras are found, it notifies users that no cameras are available. If an invalid argument is provided, it gives usage instructions. Additionally, it removes the captured image from the user’s computer.

Figure 14 Webcam
Figure 14 – Webcam

Microphone Recording

The Python script “microphone_recording.py” utilizes the SciPy library to continuously capture audio from a microphone and saves it as a .WAV file. Inside the script, the “start_recording” function, running in an infinite loop and checks if “send_recordings” flag is set to true. If it is set to true, the scripts record the audio and send it to discord channel along with the timestamp. If the flag is false, it waits for 20 seconds and checks the flag status again for capturing the audio.

Figure 15 Microphone record
Figure 15 – Microphone record

Additional Functionalities

Furthermore, the RAT has the capability to execute various actions based on commands issued by a TA. These actions include capturing or recording the screen, triggering a Blue Screen Of Death (BSOD), enabling live microphone access, uploading and downloading files, initiating a fork bomb, establishing a reverse shell, achieving persistence on the compromised system, terminating processes, and deleting files as instructed by the remote attacker.

The following image depicts the command employed by the TA to accomplish the required task.

Figure 16 – Commands employed by the PySilon RAT
Figure 16 – Commands employed by the pySilon RAT

The below figure shows the process tree of the PySilon RAT executable.

Figure 17 Process tree
Figure 17 – Process tree

Conclusion

TAs use open-source code, often from platforms like GitHub, in malware campaigns for cost efficiency, as it’s freely available and well-tested. It enables rapid development and customization while obfuscating the malicious intent, making detection harder. In this case, TAs are utilizing a PySilon malware builder obtained from GitHub to generate a Remote Access Trojan malware file. With this malicious tool, they can carry out a range of activities, including logging keystrokes, pilfering sensitive data, transferring files to and from compromised systems, recording the screen, capturing audio from microphones, executing remote commands, and more.

The PySilon project’s owner is continually improving the builder and intends to introduce new features in upcoming releases. Our monitoring has revealed a significant surge in the number of PySilon executable uploads on VirusTotal, and the active promotion of this malware by users in online forums serves as a clear indicator that PySilon is emerging as an escalating concern within the threat landscape.

Our Recommendations

  • The initial infection could occur through phishing websites, free software downloading websites, etc. Ensure that you download and install software applications exclusively from reputable and established sources. Refrain from obtaining software from online sources that lack credibility or verification.
  • Deploy strong antivirus and anti-malware solutions to detect and remove malicious executables and scripts.

MITRE ATT&CK® Techniques

Tactic  Technique Procedure
Initial Access (TA0001) Phishing (T1566) This malware could reach users via phishing sites.
Execution  (TA0002) User Execution (T1204) The user needs to manually execute the malicious file downloaded from the
phishing site.
Execution  (TA0002) Command and Scripting
Interpreter (T1059)		 cmd.exe are used to collect system
information.
Execution  (TA0002) Command and Scripting
Interpreter (T1059.001)		 PowerShell command are used to add an
exclusion path for Windows Defender.
Execution  (TA0002) Windows Management Instrumentation (T1047) WMIC command used to get system
information.
Persistence (TA0003) Registry Run Keys /
Startup Folder (T1547.001)		 Malware adding run entry for persistence.
Defense Evasion (TA0005) Virtualization/Sandbox Evasion (T1497) Performing Anti-VM/Anti-Debug technique
for evasion
Defense Evasion (TA0005) Disable or Modify Tools
(T1562.001)		 The malware scans for VM and Debugger-
related processes and terminates them.
Credential Access (TA0006) OS Credential Dumping
(T1003)		 Malware attempts to dump credentials to
obtain account login and credential.
Credential Access (TA0006) Input Capture (T1056.001) The malware possesses the capability to
engage in keylogging activities.
Discovery (TA0007) Process Discovery (T1057) The malware look out a specific processes
to terminate.
Discovery (TA0007) Query Registry (T1012) The malware is examining the registry to extract system details.
Discovery (TA0007) System Information
Discovery (T1082)		 The malware gathers system information through PowerShell, Command Prompt
(cmd), and WMIC.
Discovery (TA0007) Security Software
Discovery (T1518.001)		 The malware is searching for processes
associated with virtual machines and
debuggers to forcibly terminate.
Collection (TA0009) Data from Local System
(T1005)		 The malware collects sensitive data from
victim’s system.
C&C
(TA0011)		 Application Layer Protocol
(T1071)		 TCP is used by the malware to interact
with the C&C server.
C&C
(TA0011)		 Ingress Tool Transfer
(T1105)		 The malware has ability to download
files from C&C

Indicators of Compromise (IOCs)

Indicators Indicator
Type		 Description
257719c0fb80ef287143fa5b76f9c21f 210d9beb06bfd931cd493a2f403a1a89fed1fbc6
150e92f301e0bcf4e401be5d21c48ad89dbb12522870fd2a9a2deb3dd818a239		 MD5
SHA1
SHA256		 PySilon RAT
(Adobe Photoshop.exe)
6ec269438a88b7045fa59ab1f3f40bedba8daaafa8f84f44cca9f42609ccdd9e 34eaa3fc0a6bd30088b882805240a03f988ecbfdf89f248a3f87cd4599763eec 82d24874d87c6dcf6d654ab94e8e8f8d163c0eac7bafbde7bbbec0f363fe741c 1ea9c40e8a27d8a084ffff2da909d00d09e739a9c12a59fa0a72537e00b02e68 932f08251d715bd100def07ba0cf98103b53186c6a0a34421958dedc94b64935 a4b0d797cc7cb65841e390a851b4c1a826fa73670dd907811fe120913e9cb2e4 c9ea08045ffbd89d92da65f7f8d4a2ce1103943a62d131f0ff713881dc1393f1 1ba854a402e5a811ef7ea93d9e160270bd413526adf3c6b9f47125fdf7e60763 69c71f8128feef88ec90b42ca01dbb12b67a37c696aa4a24c77c9c1facc55dcc f6ffdfdf2a7b684307b20965155035acf9b7e25456338c7072171e52acc4f204 ba026ae40a4f1e93e1c328c436eb2ac763ed7898f881120e9eed92edee1149df SHA256 Similar
PySilon RAT
executables

Source: https://cyble.com/blog/emerging-threat-understanding-the-pysilon-discord-rats-versatile-features/

Tags: DISCOVERY, COLLECTION, DEFENSE EVASION, BROWSER, PASSWORD, TOOL, TROJAN, CREDENTIAL