The article discusses the analysis of a sophisticated Python malware script utilizing Base64 encoding and ZLIB compression. The malicious code employs multiple obfuscation stages and attempts to adapt to various operating systems. The analysis reveals the delivery methods of the malware, including a campaign called “ClickFix” which utilizes social engineering tactics to manipulate users into executing malicious scripts. The report emphasizes the continuous evolution of malware tactics targeting software developers for data theft and espionage. Affected: software developers, organizations, Windows, macOS, Linux, North Korean nuclear projects
Keypoints :
- An analysis of a malicious Python script using Base64 and ZLIB compression.
- The code employs obfuscation and multiple stages to evade detection.
- Key components in the malware include registry key reading and C2 server communication.
- The “ClickFix” campaign uses social engineering to deceive users into executing malware.
- Advanced Persistent Threat (APT) groups are evolving their tactics to target software developers.
- The malware gathers system and geolocation information, operating in stealth mode.
- Several malware campaigns exhibit similar attack patterns and goals.
- Common objectives include data theft, financial gain, and espionage for funding North Korean projects.
MITRE Techniques :
- T1027 — Obfuscated Files or Information: The malicious script utilizes heavy obfuscation techniques to conceal its true functionality.
- T1027.002 — Obfuscated Files or Information: Software Packing: The script is packed using Base64 and ZLIB for compression.
- T1204.002 — User Execution: Malicious File: The ClickFix technique lures users into executing malicious scripts masquerading as legitimate actions.
- T1564.001 — Hide Artifacts: Hidden Files and Directories: Executed scripts are designed to minimize visibility on compromised systems.
- T1082 — System Information Discovery: The malware collects detailed system information about the victim’s environment.
- T1016 — System Network Configuration Discovery: The script identifies network settings and configurations on infected systems.
- T1033 — System Owner/User Discovery: Discovering the current user and active profiles on the system.
- T1555 — Credentials from Password Stores: The malware aims to access credential storage to exfiltrate sensitive information.
- T1555.003 — Credentials from Web Browsers: Specifically targeting browser-stored credentials.
- T1056.001 — Input Capture: Keylogging: The malware captures keystrokes to gather sensitive user data.
- T1546.008 — Event Triggered Execution: Accessibility Features: Execution of malicious actions triggered by user accessibility features.
- T1041 — Exfiltration Over C2 Channel: Data is sent back to the C2 server over established communication channels.
Indicator of Compromise :
- IPv4: 5.253.43[.]122:1224
- IPv4: 41.208.185[.]235
- IPv4: 95.164.7[.]171:8637
- URL: http[:]//ip-api[.]com/json