Cybersecurity researchers have uncovered a sophisticated Python-based malware that employs process injection techniques to hide inside legitimate Windows binaries.
This threat represents a new evolution in fileless attack strategies, combining multi-layer obfuscation with trusted system utilities to evade detection.
The malware’s ability to masquerade as harmless files while deploying a full Python runtime environment marks a significant advancement in delivery mechanisms that challenge traditional security approaches.
During a routine analysis at K7 Labs, security researchers identified this novel threat that uses a 65 MB blob containing mostly filler data with a small valid marshalled .pyc fragment hidden at the end.
This fragment contains the actual malicious code designed to inject processes into legitimate Windows executables.
The sample demonstrates several advanced features including multi-layer encoding, archive type masquerading, and bundling of a Python runtime with a signed executable name that appears legitimate to casual observation.
K7 Labs security analysts noted that the malware’s impact extends beyond initial infection, establishing persistent command-and-control communications that continue even after the original loader terminates.
The infection chain begins with a PE dropper that reconstructs a batch script through runtime decryption using SIMD operations.
This script drops config.bat into the public user directory, which then downloads a file disguised as a PNG image from cloud storage.
In reality, this PNG file is a RAR archive—a simple but effective trick that bypasses security filters treating image files as harmless.
The batch script extracts this archive using the built-in tar command, revealing three components: AsusMouseDriver.sys (a password-protected RAR disguised as a system file), Interput.json (renamed to Install.bat), and a legitimate WinRAR executable used for further extraction.
.png "Threats Actors Leverage Python-based Malware to Inject Process into a Legitimate Windows Binary 3")
Once executed, the Python interpreter processes command-line arguments “dcconsbot” and “dcaat” to trigger a sophisticated de-obfuscation chain through Base64 decoding, BZ2 decompression, Zlib decompression, and finally marshal loading to reconstruct the compiled Python bytecode in memory.
This code immediately targets cvtres.exe, a legitimate Microsoft resource conversion utility, for process injection.
Infection Mechanism Deep Dive
The core infection mechanism leverages a carefully orchestrated multi-stage extraction process that demonstrates the attackers’ deep understanding of Windows internals and security tool behaviors.
After the initial PE dropper executes, the config.bat script establishes C:\DragonAntivirus as a working directory before downloading the disguised archive.
The Install.bat script then renames the bundled WinRAR executable and uses it to extract the password-protected AsusMouseDriver.sys archive with a hardcoded password into C:\Users\Public\WindowsSecurityA.
This directory contains the fake ntoskrnl.exe (actually a bundled Python runtime) and the Lib\image blob containing the obfuscated payload.
.png "Threats Actors Leverage Python-based Malware to Inject Process into a Legitimate Windows Binary 4")
A decoy PDF opens to distract users while malicious code executes silently, parsing the image file through the layered de-obfuscation routine before injecting into cvtres.exe and establishing encrypted C2 communications.
# Simplified de-obfuscation chain
import base64, bz2, zlib, marshal
def deobfuscate_payload(image_data):
# Layer 1: Base64 decoding
stage1 = base64.b64decode(image_data)
# Layer 2: BZ2 decompression
stage2 = bz2.decompress(stage1)
# Layer 3: Zlib decompression
stage3 = zlib.decompress(stage2)
# Layer 4: Marshal loading (Python bytecode)
final_payload = marshal.loads(stage3)
return final_payloadThe malware’s ability to hide within legitimate Microsoft processes while maintaining encrypted communications channels makes it particularly dangerous for enterprise environments where traditional signature-based detection may fail to identify the threat.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
