Ransomhub Affiliate Leverages Python-based Backdoor
Thumbnail
GuidePoint Security identified a Python-based backdoor used by a threat actor to maintain access to compromised systems and deploy RansomHub encryptors across the network. The malware employs obfuscation techniques and utilizes Remote Desktop Protocol for lateral movement. Key indicators of compromise and a detailed analysis of the deployment process and command-and-control mechanisms are also discussed. Affected: GuidePoint Security, ReliaQuest

Keypoints :

  • GuidePoint Security discovered a Python-based backdoor in Q4 2024.
  • The backdoor was used to deploy RansomHub encryptors across the network.
  • Obfuscation techniques were employed from PyObfuscate[.]com.
  • Initial access was linked to SocGholish (FakeUpdate).
  • Deployment involved lateral movement via Remote Desktop Protocol (RDP).
  • GuidePoint identified 18 IP addresses associated with the backdoor’s C2 infrastructure.
  • The Python script functions as a reverse proxy using SOCKS5 protocol.
  • Malware analysis revealed AI-assisted code creation patterns.
  • Indicators of compromise included specific filenames and task names.
  • Further updates on C2 addresses will be shared on GitHub.

MITRE Techniques :

  • T1071.001 – Application Layer Protocol: The threat actor established command-and-control communication over HTTP using a SOCKS5-like tunnel.
  • T1075 – Pass the Hash: The backdoor facilitated lateral movement through compromised credentials via RDP.
  • T1059.003 – Command-Line Interface: The installation of Python and necessary libraries was performed using command-line instructions.
  • T1027 – Obfuscated Files or Information: The Python script used obfuscation techniques to evade detection.
  • T1203 – Exploitation for Client Execution: Initial access was achieved through a SocGholish (FakeUpdate) exploit.

Indicator of Compromise :

  • [file name] get-pip2.pyd
  • [file name] get-pip2
  • [file hash] 5089fd6ce6d8c0fca8d9c4af7441ee9198088bfba6e200e27fe30d3bc0c6401c
  • [ip address] 185.174.101.240
  • [ip address] 38.180.81.153
  • Check the article for all found IoCs.

Full Research: https://www.guidepointsecurity.com/blog/ransomhub-affiliate-leverage-python-based-backdoor/