Threat Research

Polymorphic Python Malware

CTI
Polymorphic Python Malware

A polymorphic Python RAT named “nirorat.py” was found on VirusTotal (SHA256:7173e20e7ec217f6a1591f1fc9be6d0a4496d78615cc5ccdf7b9a3a37e3ecc3c) that uses self-modifying techniques (inspect, XOR packing, marshal/zlib) and advanced polymorphic transformations to evade detection. It exposes many remote-access features (network scanning, spreading, file operations, audio/screen capture, cryptomining, and commands to deploy payloads) and logged low detection (2/64). #nirorat #Xworm

Keypoints

  • The sample “nirorat.py” (SHA256:7173e20e7ec217f6a1591f1fc9be6d0a4496d78615cc5ccdf7b9a3a37e3ecc3c) uploaded to VirusTotal scored 2/64 detections.
  • The malware implements self-modifying code via Python’s inspect module to read function source, XOR-pack it, and execute from memory using marshal and zlib.
  • A polymorph_code() function performs variable renaming, injects randomized junk snippets, shuffles functions, and otherwise obfuscates source to evade static analysis.
  • The RAT includes async network scanning and spreading capabilities (socket_network_scan, scan_host, try_router_hack, test_default_credentials, spread_to_network, deliver_payload, execute_payload).
  • Extensive remote capabilities are present: file upload/download, execution of arbitrary commands, archiving, encryption, system info, keylogging, and deployment of an Xworm payload.
  • Multimedia and monitoring features include screen and webcam capture, audio capture/streaming, recording/listening functionality, and commands to start/stop these actions.
  • The bot exposes a command interface (commands like /encrypt, /mine, /screenshot, /audio, /execute, /xworm, /keylog_start) suitable for interactive control over victims.

MITRE Techniques

  • [T1059 ] Command and Scripting Interpreter – Malware defines and executes arbitrary shell/OS commands via functions like execute(ctx, *, command) and exec(code_obj) to run unpacked code from memory; quoted content: ‘exec(code_obj)’.
  • [T1218 ] Signed Binary Proxy Execution or Hijacking (analogous) – Uses in-memory unpacking and execution (marshal.loads, zlib.decompress, exec) to run code without writing a clear payload to disk; quoted content: ‘packed_code = bytes(b ^ xor_key for b in critical_code)’ (shows packing) and ‘code_obj = marshal.loads(zlib.decompress(unpacked_code))’.
  • [T1620 ] Reflective Code Loading – Reads source via inspect.getsource(…) and performs transformations then executes resulting code objects in memory; quoted content: ‘critical_code = inspect.getsource(main).encode()’.
  • [T1027 ] Obfuscated Files or Information – Applies polymorphic transformations (variable renaming, junk insertion, function shuffling) to obfuscate code and evade analysis; quoted content: ‘Obfuscate code with advanced randomization and junk code.’
  • [T1090 ] Proxy: Internal Spearphishing/Propagation Techniques (lateral movement) – Implements network scanning, credential testing, and spreading routines to move across networks; quoted content: ‘async def socket_network_scan():’, ‘async def spread_to_network()’.
  • [T1490 ] Inhibit System Recovery (archive/encrypt) – Provides commands to encrypt victim files and archive critical files, disrupting recovery; quoted content: ‘/encrypt – Encrypt victim’s files’ and ‘/archive – Archive critical files’.
  • [T1113 ] Screen Capture – Captures screenshots and webcam content via functions like record_screen_webcam and screenshot; quoted content: ‘async def record_screen_webcam(voice_channel, ctx)’ and ‘/screenshot – Capture screenshot’.
  • [T1020 ] Automated Collection (Audio Capture) – Records and streams audio from victims using functions like audio and listen; quoted content: ‘/audio – Capture audio’ and ‘/listen – Record screen for 30 seconds, stream high-quality live audio to voice channel’.
  • [T1056 ] Input Capture (Keylogging) – Offers keylogger control commands to start and stop keylogging and exfiltrate logs; quoted content: ‘/keylog_start – Start keylogger’ and ‘/keylog_stop – Stop keylogger and send log’.

Indicators of Compromise

  • [File Hash ] sample SHA256 – 7173e20e7ec217f6a1591f1fc9be6d0a4496d78615cc5ccdf7b9a3a37e3ecc3c (uploaded to VirusTotal as “nirorat.py”).
  • [File Name ] observed filename – nirorat.py (VirusTotal submission name).
  • [Function Names ] embedded capabilities – async def socket_network_scan, async def spread_to_network, async def record_screen_webcam (indicates scanning, spreading, and capture features).
  • [URL/Artifact ] referenced payload URL – example Xworm payload URL shown as “https://example.com/serial_spoofer.exe” (used as default xworm spread_url placeholder).
  • [Log Entries ] runtime logs – debug.log entries like “[+] Self-modifying code executed” and “[+] Advanced polymorphic transformation applied” written by the sample (useful for behavioral detection).

Read more: https://isc.sans.edu/diary/Polymorphic+Python+Malware/32354

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint