Hackers Exploit PyBitmessage Library to Evade Antivirus and Network Security Detection

The AhnLab Security Intelligence Center (ASEC) has uncovered a new strain of backdoor malware being distributed alongside a Monero coin miner.

This malware leverages the PyBitmessage library, a Python implementation of the Bitmessage protocol, to establish covert peer-to-peer (P2P) communications.

Unlike traditional HTTP or IP-based methods, PyBitmessage encrypts data exchanges and anonymizes both sender and receiver identities, effectively masking the central server’s traces.

This innovative approach not only complicates detection by antivirus software and network security solutions but also blends malicious communications with legitimate user traffic on the Bitmessage network.

By exploiting a protocol designed for privacy and decentralization, threat actors have crafted a stealthy mechanism to issue command-and-control (C2) instructions, making it exceptionally challenging for security tools to flag these interactions as malicious.

Backdoor Malware Linked to Monero Mining

The malware’s operation begins with the decryption of encrypted resources stored within its top-level file using XOR operations, subsequently dropping two distinct payloads: a Monero coin miner and a backdoor component.

The Monero miner, exploiting the cryptocurrency’s inherent anonymity, hijacks infected systems’ resources for illicit mining profits, with critical files like config.json and idle_maintenance.exe being deployed to a temporary directory.

Simultaneously, the backdoor, crafted using PowerShell, installs PyBitmessage to handle POST requests on local port 8442.

It attempts to download necessary files from GitHub’s release page or, as a fallback, from a suspected personal drive hosted on a Russian-based file-sharing platform, hinting at the possible origins of the threat actor.

Once operational, the backdoor, built with PyInstaller, deploys various modules and altered libraries like QtGui4.dll potentially patched to disable normal functionality as a concealment tactic and awaits commands from the attacker.

These commands, received as encrypted messages via PyBitmessage, are executed as PowerShell scripts, demonstrating a fileless attack vector that further evades traditional detection mechanisms.

Dissecting the Malware’s Dual Threat

The seamless integration of legitimate P2P network functions into malicious workflows underscores the difficulty in tracing and analyzing such threats.

The distribution method of this malware remains unclear, but its ability to masquerade as legitimate software suggests it could be bundled with seemingly harmless files or circulated as cracked software via torrents.

According to the Report, ASEC advises users to avoid files from unverified sources and prioritize official distribution channels while ensuring security solutions are updated to counter such sophisticated threats.

This malware’s reliance on legitimate protocols for nefarious purposes highlights an escalating trend in cybercrime, necessitating heightened vigilance and advanced behavioral monitoring of P2P communications to safeguard systems.

Indicators of Compromise (IOCs)

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!