A new Python-based attack campaign.
N2K logoJan 25, 2023

New RAT is frequently being updated.

A new Python-based attack campaign.

Securonix describes an attack campaign that’s using a Python-based remote access Trojan dubbed “PY#RATION.”

Malware distributed via phishing.

Securonix observed the first version of PY#RATION in August 2022, and the malware has been updated several times since. The RAT is distributed via phishing emails written in English containing malicious ZIP files. The ZIP files contain LNK files disguised as JPG images showing a UK driver’s license. The researchers believe the campaign is targeting users in the UK or other English-speaking countries.

PY#RATION uses websockets.

After installation, the malware can carry out a wide variety of malicious activities associated with other RATs, such as keylogging and data theft. Securonix notes, however that “[w]hat makes this malware particularly unique is its utilization of websockets for both command and control (C2) communication and exfiltration as well as how it evades detection from antivirus and network security measures.”

The researchers conclude, “The PY#RATION malware is not only relatively difficult to detect, the fact that it is a Python compiled binary makes this extremely flexible as it will run on almost any target including Windows, OSX, and Linux variants. Python packages do not need to be installed on the host as all of the needed libraries are self-contained in the executable itself.”