Cybersecurity researchers have uncovered a classy Python-based malware that employs course of injection methods to cover inside official Home windows binaries.
This menace represents a brand new evolution in fileless assault methods, combining multi-layer obfuscation with trusted system utilities to evade detection.
The malware’s skill to masquerade as innocent information whereas deploying a full Python runtime setting marks a major development in supply mechanisms that problem conventional safety approaches.
Throughout a routine evaluation at K7 Labs, safety researchers recognized this novel menace that makes use of a 65 MB blob containing principally filler knowledge with a small legitimate marshalled .pyc fragment hidden on the finish.
This fragment accommodates the precise malicious code designed to inject processes into official Home windows executables.
The pattern demonstrates a number of superior options together with multi-layer encoding, archive sort masquerading, and bundling of a Python runtime with a signed executable identify that seems official to informal statement.
K7 Labs safety analysts famous that the malware’s affect extends past preliminary an infection, establishing persistent command-and-control communications that proceed even after the unique loader terminates.
The an infection chain begins with a PE dropper that reconstructs a batch script by runtime decryption utilizing SIMD operations.
This script drops config.bat into the general public consumer listing, which then downloads a file disguised as a PNG picture from cloud storage.
In actuality, this PNG file is a RAR archive—a easy however efficient trick that bypasses safety filters treating picture information as innocent.
The batch script extracts this archive utilizing the built-in tar command, revealing three elements: AsusMouseDriver.sys (a password-protected RAR disguised as a system file), Interput.json (renamed to Set up.bat), and a official WinRAR executable used for additional extraction.
Execution Move Chart (Supply – K7 Labs)
As soon as executed, the Python interpreter processes command-line arguments “dcconsbot” and “dcaat” to set off a classy de-obfuscation chain by Base64 decoding, BZ2 decompression, Zlib decompression, and at last marshal loading to reconstruct the compiled Python bytecode in reminiscence.
This code instantly targets cvtres.exe, a official Microsoft useful resource conversion utility, for course of injection.
An infection Mechanism Deep Dive
The core an infection mechanism leverages a fastidiously orchestrated multi-stage extraction course of that demonstrates the attackers’ deep understanding of Home windows internals and safety software behaviors.
After the preliminary PE dropper executes, the config.bat script establishes C:DragonAntivirus as a working listing earlier than downloading the disguised archive.
The Set up.bat script then renames the bundled WinRAR executable and makes use of it to extract the password-protected AsusMouseDriver.sys archive with a hardcoded password into C:UsersPublicWindowsSecurityA.
This listing accommodates the pretend ntoskrnl.exe (really a bundled Python runtime) and the Libimage blob containing the obfuscated payload.
Deobfuscated content material (Supply – K7 Labs)
A decoy PDF opens to distract customers whereas malicious code executes silently, parsing the picture file by the layered de-obfuscation routine earlier than injecting into cvtres.exe and establishing encrypted C2 communications.
# Simplified de-obfuscation chain
import base64, bz2, zlib, marshal
def deobfuscate_payload(image_data):
# Layer 1: Base64 decoding
stage1 = base64.b64decode(image_data)
# Layer 2: BZ2 decompression
stage2 = bz2.decompress(stage1)
# Layer 3: Zlib decompression
stage3 = zlib.decompress(stage2)
# Layer 4: Marshal loading (Python bytecode)
final_payload = marshal.hundreds(stage3)
return final_payload
The malware’s skill to cover inside official Microsoft processes whereas sustaining encrypted communications channels makes it significantly harmful for enterprise environments the place conventional signature-based detection could fail to determine the menace.
Observe us on Google Information, LinkedIn, and X to Get Extra Immediate Updates, Set CSN as a Most popular Supply in Google.
