A new polymorphic malware identified by a security researcher earlier this week remains undetected by most security tools.
Xavier Mertens wrote about the malware in a SANS blog post on October 8. At the time, there were only two detections of the malware on VirusTotal. Two days later, there are still only two detections.
Polymorphic Malware Built on Python
The malware, a Python remote access trojan (RAT) uploaded to VirusTotal as “nirorat.py,” got Mertens’ attention because of some function names in the code: self_modifying_wrapper(), decrypt_and_execute() and polymorph_code().
Polymorphic malware is designed to mutate its appearance or signature files every time it executes, he said.
“To be able to modify its code on the fly, the program must have access to its own source code,” he wrote. “Many languages have this capability.”
In Python, the inspect module can add that capability, he added.
In the malware he identified, Mertens said the self_modifying_wrapper() function “will grab a function code, XOR it with a random key then un-XOR it and execute it from memory” to wrap critical code in a self-modifying layer.
The malware also has the capability to obfuscate code with advanced variable renaming and junk code injection. He included code samples for the self_modifying_wrapper() and polymorph_code() functions.
Python RAT also Includes More Than 40 Attack Capabilities
The malware also has more than 40 attack and reconnaissance capabilities “and offers plenty of features to the Attacker,” he said.
Some of the functions and capabilities include network and host scanning, router hacking, testing default credentials, screen recording, payload delivery and execution, stolen data transmission, lateral movement, and more.
Among the bot commands are options for deploying the Xworm payload, running a keylogger and exporting the logs, encrypting the victim’s files, running a cryptominer, capturing screenshots and audio, running shell commands, uploading files to the victim PC, and searching and sending files from the PC.
