Keypoints
- Pupy RAT is open-source (GitHub) and cross-platform (Windows, Linux; limited macOS/Android), written in C and Python.
- Core capabilities include remote command execution, file upload/download, process and file handling, screenshots, and keylogging.
- Pupy supports post-exploitation modules for privilege escalation, credential theft, and lateral movement, enabling advanced follow-up attacks.
- Linux variants commonly masquerade process names (defaulting to /usr/sbin/atd) and use kworker/ntpd-like names; build revision prefixes can help distinguish actors.
- Campaigns since 2019–2024 targeted Asian countries (including South Korea) and used shared infrastructure with Cobalt Strike and PlugX; distribution via trojanized downloads and spearphishing was observed.
- The report provides extensive IOCs: multiple MD5 hashes, C2 servers (many over :443), and download URLs to aid detection and blocking.
MITRE Techniques
- [T1059] Command and Scripting Interpreter – Used to execute remote commands on infected hosts: [‘…supports features such as command execution…’]
- [T1105] Ingress Tool Transfer – Malware supports uploading/downloading files to/from the host: [‘…uploading and downloading files…’]
- [T1113] Screen Capture – Used to capture screenshots for information theft: [‘…capturing screenshots…’]
- [T1056] Input Capture – Keylogging functionality to capture user input and credentials: [‘…keylogging…’]
- [T1036] Masquerading – Linux samples change process names to blend in (default ‘/usr/sbin/atd’ or kworker/ntpd variants): [‘…changes the process name to “/usr/sbin/atd” at runtime by default…’]
- [T1071.001] Application Layer Protocol: Web Protocols – C2 communications observed over HTTPS (:443) to multiple domains and IPs: [‘…C&C Servers … :443: Pupy RAT – Korea…’]
- [T1068] Exploitation for Privilege Escalation – Post-exploitation modules enable privilege escalation routines: [‘…privilege escalation…’]
- [T1021] Remote Services – Capabilities and modules facilitate lateral movement across networks: [‘…lateral movement possible.’]
Indicators of Compromise
- [MD5 hashes] Example malicious files – 2f378559b835cbe9ec9874baec73a578 (Pupy RAT – lvmetad), 504612eaebc2660c4ac00f5db1d24fca (Pupy RAT – newp4.so), and 20 more hashes.
- [C2 IPs/domains] Command-and-control infrastructure – 45.32.16[.]248:443 (Pupy RAT – Korea), safe.0xhu[.]com:443 (Pupy RAT), and several other domains listed in report.
- [Download URLs] Distribution endpoints – hxxp://45.32.16[.]248/lvmetad (Pupy RAT – Korea), hxxp://api.api-alipay[.]com/kworker0ytj (Pupy RAT), and additional kworker-style paths.
- [File detections / Names] Detected signatures and trojanized filenames – Backdoor/Linux.PupyRAT.3414160, Backdoor/Win.CobaltStrike.C5611386, and trojanized names like ChromeSetup.exe or *.docx.exe.
Pupy RAT is a modular remote access toolkit implemented in C and Python that supports cross-platform implants and a wide set of capabilities: remote command execution, file transfer, process/file manipulation, screenshot capture, and keylogging. Its architecture includes post-exploitation modules for privilege escalation, credential harvesting, and lateral movement, enabling adversaries to escalate access and move within networks after initial compromise.
Linux-targeting variants commonly employ process masquerading (default runtime name /usr/sbin/atd, and multiple kworker/ntpd-style names) and use build/revision metadata as attribution clues. Distribution methods observed include spearphishing and trojanized download pages; campaigns have reused infrastructure hosting Cobalt Strike and PlugX components. C2 channels are frequently HTTPS on port 443 across many domains and IPs, and the report lists concrete download URLs and many MD5 hashes tied to samples collected in Asian countries and South Korea.
For operational response, prioritize blocking known C2 domains/IPs and download URLs, add the provided MD5s to detection lists, and hunt for process names and behaviors (unexpected /usr/sbin/atd or kworker/ntpd processes with network connections). Ensure endpoint signatures are updated and investigate systems showing file transfers, screenshots, input-capture artifacts, or signs of post-exploitation modules for privilege escalation and lateral movement.
Read more: https://asec.ahnlab.com/en/64258/