Windows systems targeted by novel Python RAT malware

BleepingComputer reports that Windows systems are being compromised in phishing attacks using the new Python-based remote access trojan PY#RATION. Phishing emails having password-protected ZIP file attachments with image-spoofing LNK files are being leveraged to facilitate the distribution of the PY#RATION malware, which exploits the WebSocket protocol for command-and-control server communications and data exfiltration activities, a report from Securonix showed. Deploying the attached LNK files would prompt C2 communication and the download of TXT files that trigger malware execution after being renamed to BAT files. After establishing "Cortana" and "Cortana/Setup" directories, PY#RATION proceeds to maintain persistence by updating the startup directory to include a batch file. Securonix researchers discovered that aside from enabling network enumeration, PY#RATION version 1.6.0 also allows file transfers between breached systems and C2 and vice versa, keylogging, shell command execution, host enumeration, web browser cookie and password extraction, clipboard data exfiltration, and anti-virus tool detection. All PY#RATION malware versions were observed to use the same C2 address.