Cybersecurity researchers have detailed an attack in which a threat actor used a Python-based backdoor to maintain persistent access to compromised endpoints and then used that access to deploy RansomHub ransomware across the target network.
According to GuidePoint Securityinitial access was facilitated by a downloaded JavaScript malware called SocGholish (aka FakeUpdates) which is known to appear distributed with the help of companies that trick unsuspecting users into downloading fake web browser updates.
Such attacks are common to attract using legitimate but infected websites to which victims are redirected from search results using search engine optimization (SEO) techniques. Once executed, SocGholish establishes contact with an attacker-controlled server to receive secondary payloads.
Back in the last year, the SocGholish campaign purposeful WordPress sites that rely on outdated versions of popular SEO plugins like Yoast (CVE-2024-4984CVSS score: 6.4) and Rank Math PRO (CVE-2024-3665CVSS score: 6.4) for initial access.
In the incident that GuidePoint Security investigated, the Python backdoor was removed approximately 20 minutes after the initial infection via SocGholish. The threat actor then proceeded to deliver the backdoor to other machines located on the same network during lateral traffic via RDP sessions.
“Functionally, the script is a reverse proxy that connects to a hard-coded IP address. After the script passes the initial command and control (C2) handshake, it establishes a tunnel that is heavily based on the SOCKS5 protocol,” said security researcher Andrew Nelson.
“This tunnel allows a threat actor to move laterally in a compromised network using the victim’s system as a proxy.”
A Python script, an early version of which was documented ReliaQuest in February 2024, has been discovered in the wild since early December 2023 while undergoing “surface-level changes” aimed at improving the obfuscation techniques used to avoid detection.
GuidePoint also noted that the decoded script is both polished and well-written, indicating that the malware author is either diligent about maintaining readable and inspectable Python code, or is relying on artificial intelligence (AI) tools to help with the coding task .
“With the exception of local variable obfuscation, the code is broken down into separate classes with very descriptive method and variable names,” Nelson added. “Each method also has a high degree of error handling and detailed debugging messages.”
A Python-based backdoor is far from the only precursor discovered in ransomware attacks. As Halcyon highlighted earlier this month, some other tools deployed before deploying ransomware, include those responsible for –
- Disabling Endpoint Detection and Response (EDR) solutions with EDRSilencer and Backstab
- Credential theft with LaZagne
- Compromising Email Accounts by Forging Credentials with MailBruter
- Maintaining stealth access and delivering additional payloads with Sirefef and Medies
Ransomware campaigns have also been observed targeting Amazon S3 packages using Amazon Web Services server-side encryption with client-provided keys (Yudz-S) to encrypt the victim’s data. The activity was attributed to a threat actor called Codefinger.
In addition to preventing recovery without a generated key, the attacks use a timed ransom tactic where files are marked for deletion within seven days via the S3 Object Lifecycle Management API to force victims to pay.
“Codefinger threat actor abuses publicly disclosed AWS keys with write and read permissions on S3 objects” – Halcyon said. “Using their own AWS services, they provide encryption in a way that is both secure and unrecoverable without their cooperation.”
The development comes after SlashNext said it had witnessed a surge in “rapid-fire” phishing campaigns impersonating the Black Basta extortion team. email bombing technique to flood victims’ mailboxes with more than 1,100 legitimate messages related to newsletters or payment notices.
“Then, when people are feeling down, attackers break in via phone calls or Microsoft Teams messages, posing as the company’s technical support team with a simple fix,” the company said in a statement. said.
“They talk with confidence to gain credibility by directing users to install remote access software such as TeamViewer or AnyDesk. Once that software is installed on a device, attackers slip in quietly. From there, they can spread malware or infiltrate other areas of the network, clearing the way straight to sensitive data.”
