Threat Research

Why Is Python So Widely Used for Compromising Windows Systems?

Securonix

Python is increasingly used in Windows-targeted attacks due to easy deployment and weak AMSI integration, allowing attackers to deliver, reconstruct, and run malicious scripts across system layers. The article shows how Python-based infostealers exfiltrate data via Telegram bots and persist via Startup entries, highlighting the need to monitor Python processes on Windows hosts. #CookieStealer #Telegram

Keypoints

  • Python is frequently used in malicious scripts within the Windows ecosystem.
  • Python is not installed by default on Windows, enabling easy deployment by attackers.
  • Python’s lack of AMSI integration makes it easier to debug and execute scripts without detection.
  • Malicious Python scripts can be delivered via batch files that reconstruct the script on the victim’s machine.
  • Exfiltrated data can be sent to Telegram bots, showcasing a simple load-balancing solution for data theft.
  • Persistence mechanisms are often implemented through the Startup menu to ensure continued execution.
  • Monitoring Python processes on Windows hosts is crucial for identifying potential threats.

MITRE Techniques

  • [T1059.003] Command-Line Interface – “Attackers use command-line interfaces to execute malicious scripts and commands.” – This describes how attackers execute scripts via CLI and batch/PowerShell commands.
  • [T1041] Exfiltration Over Command and Control Channel – “Data is exfiltrated through established communication channels, such as Telegram bots.” – The malware sends stolen data via Telegram.
  • [T1547] Persistence – “Malicious scripts are set to run at startup to maintain persistence on the victim’s machine.” – Startup menu/persistence mechanism is used.
  • [T1213] Data from Information Repositories – “Attackers gather sensitive information from various data sources, such as browser data.” – Infostealer collects browser-related data.

Indicators of Compromise

  • [Domain] – ipinfo.io and api.telegram.org used for geolocation and C2/exfiltration channels – ipinfo.io, api.telegram.org
  • [File] – Stub/script and startup artifacts referenced in the drop/install chain – C:UsersPublicstub.py, C:UsersPublicWindows.bat
  • [API Token] – Telegram bot tokens used for exfiltration and notification – apibot1=’7363228617:AAHqve2-Ypl4SopNb04FOWW2Drm6zQ3v8gg’, apibot2=’7363228617:AAHqve2-Ypl4SopNb04FOWW2Drm6zQ3v8gg’

Read more: https://isc.sans.edu/diary/rss/31208

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint