A new Python-based remote access trojan has emerged, targeting both Windows and Linux systems with sophisticated surveillance and data theft capabilities.
The malware operates by establishing command-and-control communication through unencrypted HTTP channels, allowing attackers to execute commands, steal files, and capture screenshots remotely.
When executed, it immediately begins fingerprinting the victim’s system by collecting details such as operating system type, hostname, and current username.
This information is then transmitted to the attacker’s server, enabling them to track individual victims across sessions.
K7 Security Labs researchers identified the malware during routine investigations on VirusTotal, where they discovered an ELF binary written entirely in Python.
The trojan was packaged using PyInstaller version 2.1 with Python 2.7, concealing its malicious code within what appeared to be a legitimate executable.
.webp "Python-based PyRAT with Cross-Platform Capabilities and Extensive Remote Access Features 3")
Upon extraction using specialized tools, analysts uncovered the main entry point in a file named agent-svc.pyc, which contained the complete remote access functionality organized under a single class called “Agent.”
The malware achieves persistence differently depending on the operating system. On Linux systems, it creates a deceptive autostart entry at ~/.config/autostart/dpkgn.desktop, using a name that mimics legitimate Debian package tools to avoid detection.
This file executes automatically when users log in, maintaining the malware’s presence without requiring administrator privileges.
.webp "Python-based PyRAT with Cross-Platform Capabilities and Extensive Remote Access Features 4")
On Windows systems, it adds a registry entry in the current user’s Run key under the name “lee,” ensuring automatic execution at startup while staying within user-level permissions.
Command-and-Control Infrastructure
The trojan communicates with its command server through basic HTTP POST requests directed at specific endpoints, transmitting system data in plain JSON format without encryption.
This design makes the traffic highly vulnerable to network monitoring and detection.
The malware uses a semi-persistent identifier created by combining the victim’s username with their MAC address, allowing attackers to track individual infections even if some system details change.
Communication frequency adapts based on activity state, with idle periods featuring longer intervals to reduce network visibility, while active sessions poll rapidly every half second to maintain responsiveness to incoming commands.
.webp "Python-based PyRAT with Cross-Platform Capabilities and Extensive Remote Access Features 5")
The malware supports extensive file operations including unrestricted uploads and downloads through multipart form-data encoding.
It can enumerate entire directory structures, change working directories, and create ZIP archives for bulk data exfiltration using the DEFLATE compression algorithm.
Screenshot capture functionality records the entire screen through PIL’s ImageGrab module, saving images as temporary JPEG files that are automatically uploaded to the attacker’s server.
All operations run in separate threads to prevent blocking the main communication loop, ensuring continuous availability for receiving new commands while executing existing tasks.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
