A suspected RansomHub affiliate used a novel Python backdoor to establish persistence on a victim’s network in an incident documented by GuidePoint Security late last year.
The Python backdoor code showed signs of potential AI-assisted coding, researchers said in a GuidePoint Security GRIT blog post published Wednesday. The malware was spread laterally across the victim’s network via the use of Remote Desktop Protocol (RDP) sessions, after initial access was made via a suspected SocGholish malware download.
GuidePoint noted that ReliaQuest had previously discovered a link between SocGholish infection and an earlier version of the backdoor. In the incident observed by GuidePoint, this attack chain concluded with the deployment of RansomHub encryptors across the entire network.
The backdoor malware showed some changes since it was first seen by ReliaQuest in February 2024, including obfuscation by the Pyobfuscate tool, the use of RDP for lateral network infections and new C2 addresses used by the attacker.
Eighteen IP addresses linked to the backdoor’s C2 infrastructure, which appeared to still be active at the time of the blog’s publication, were identified by GuidePoint. The researchers said they will continue to document IP addresses associated with the backdoor via C2IntelFeeds.
After initial access, the attacker dropped the Python backdoor on the first victim machine within about 20 minutes, following five steps to infect machines and establish persistence. First, the attacker moved to the target folder “connecteddevicesplatform,” then installed Python and set up the pip package manager to install the Python libraries required by the malware.
Next, the attacker created a Python proxy script and lastly leveraged Windows scheduled tasks to establish persistence. The Python script acts as a reverse proxy and uses a tunnel heavily based on the SOCKS5 protocol, although the protocol is not fully implemented.
The researchers noted that the deobfuscated Python code shows signs of AI assistance, including overly descriptive method names and variables, lengthy debug messages, and detailed logging for unsupported address types and unimplemented sections of the SOCKS5 protocol.
The backdoor connects to hardcoded IP addresses via TCP connections and establishes the SOCKS5-like tunnel to move laterally through the victim’s network using the infected victim machine as a proxy, the researchers wrote. The malware only supports TCP tunneled traffic and lacks support for IPv6 addresses.
A similar version of the malware uploaded to VirusTotal in September 2024 was noted to have no detections by antivirus services, demonstrating its ability to establish persistence while evading detection.
RansomHub was the most prolific ransomware-as-a-service group in the second half of 2024, according to ESET, targeting nearly 500 victims since it first emerged earlier in the year. RansomHub affiliates use various methods to infect victims, evade detection, and spread across networks, including the use of EDR-killing malware, exploitation of unpatched vulnerabilities, and use of RDP, PsExec, Anydesk, Connectwise, N-Able, Cobalt Strike, Metasploit and other legitimate services, as noted in an CISA advisory.
The use of generative AI to assist with malware code-writing and editing is becoming more common, with patterns indicative of AI use being found in FunkSec ransomware and campaigns spreading AsyncRAT and the Rhadamanthys infostealer. Threat actors with less technical experience could use the technology to enhance their capabilities, lowering the bar to entry for various types of cybercrime.
