By Augusto Barros, VP, Cyber Security Evangelist
PY#RATION is a new campaign uncovered by the Securonix Threat Labs team. The team identified back in August 2022 what seemed to be the version 1.0 of the malware used in this campaign. Since then the code has been updated multiple times and it’s currently in its 1.6.0 version. The malware exhibits remote access trojan (RAT) behavior, allowing for control of, and persistence on, the affected host. As with other RATs, PY#RATION possesses a whole host of features and capabilities, including data exfiltration and keylogging. What makes this malware particularly unique is its utilization of websockets for both command and control (C2) communication and exfiltration, as well as how it evades detection from antivirus and network security measures. Another interesting feature is the use of Python in its development.
Defending against PY#RATION
Although the malware used in this campaign shows some innovative features and characteristics, defending against it requires similar measures to those described in our first blue team debriefing on STEEP#MAVERICK. We are again looking at initial infection via a phishing email containing password protected ZIP files as attachments. The same recommendations related to filtering email delivered malware are applicable to this case.
As with STEEP#MAVERICK, this malware applies multiple obfuscation steps to avoid detection on the endpoint. However, many of these steps are well-known as suspicious activity; well configured EDR solutions or a modern SIEM ingesting detailed endpoint telemetry (such as Sysmon logs) should be able to alert on those, provided that the necessary threat detection content is in place.
This is a good time to remind blue teams that a threat detection solution is only as good as the content currently deployed. Check your content update and detection engineering processes to ensure your tools have content looking for well-known malware behavior, such as those described in our detailed advisory about PY#RATION. Examples of common MITRE ATT&CK techniques used in this case are:
- T1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
- T1140: Deobfuscate/Decode Files or Information
- T1420: File and Directory Discovery
Having content in place that covers more general behaviors, instead of relying on IOCs or very specific malware behavior, is a good way to increase your chances of detection even before knowing the details of the campaign and related malware. Take, for instance, the following policy from Securonix:
- EDR-ALL-1098-RU
- Suspicious PowerShell In lnk File Process Pattern Analytic
This policy looks for the execution of a .lnk (shortcut) file which contains embedded PowerShell commands. It’s not specific to a campaign or malware, but it is behavior that many actors use in their malware. This type of content acts as an umbrella to many threats, known and unknown. Blue teams should work to maximize the amount of content like this in their environments, covering the most frequent MITRE ATT&CK techniques used by common threats. This will help them reduce the need to develop and deploy campaign and threat specific content, reducing the operational cost of their threat detection efforts.
Finally, PY#RATION offers us a rare opportunity for defense actions: Although it applies many techniques for obfuscation, it uses only a single IP address for command and control traffic: “169[.]239.129.108”. Modern malware will usually apply techniques to constantly change the server endpoint of C2 channels, but this one does not. In this case, the good old network based block (applied on Firewalls, EDR, SWG, IPS, etc) is an effective way to break the C2 channel for all endpoints in your environment.
Conclusion
Just like STEEP#MAVERICK, PY#RATION includes some advanced techniques, but at the same time it acts in a very simple and well understood manner. Best practices are mostly enough to mitigate the associated risk. CIS Critical Security Controls safeguards that could help against this threat include:
- 8.8. Collect command-line audit logs
- 8.9. Centralize audit logs
- 8.10 Retain audit logs
- 9.6 Block unnecessary file types
- 9.7 Deploy and maintain email server anti-malware protections
- 10.7 Use behavior-based anti-malware software
It is also important to remember that infection by PY#RATION may have happened before the appropriate detection content was put in place. Retroactive searching for the related IOCs should always be used to identify cases where the initial compromise was not detected.