Abstract illustration of polymorphic Python malware with swirling code and dark red tones

Polymorphic Python Malware: SANS ISC Diary Analysis

by

RedSecNinja
in

TL;DR
A new Python RAT spotted on VirusTotal uses self-modifying code and polymorphic transformations (e.g., junk-code injection, variable shuffling) to evade signatures; despite low initial detections (2/64), its capabilities span file encryption, cryptomining, Discord-style bot control, and lateral spread—making behavior-based detections, script control, and EDR telemetry essential.

What happened
SANS Internet Storm Center (ISC) handler Xavier Mertens analyzed a Python RAT uploaded to VirusTotal with functions like self_modifying_wrapper(), decrypt_and_execute(), and polymorph_code(). The sample (SHA256: 7173e20e7ec217f6a1591f1fc9be6d0a4496d78615cc5ccdf7b9a3a37e3ecc3c) reportedly scored 2/64 on first pass, indicating weak static detections when it was submitted.

Why it matters
Polymorphism in scripting languages lets commodity RATs sidestep signature-based AV/IDS. By altering source at runtime (e.g., XOR “packing,” junk insertion, random renaming), the same core behaviors can persist while hashes and simple string indicators change—driving up false negatives for static tools and pushing defenders toward telemetry- and behavior-centric controls.

Technical highlights

  • Self-modifying wrapper: Reads function source (via Python’s inspect module), XORs it, and executes after unpacking in memory—mimicking a packer in Python.
  • Polymorphic transformer: Injects randomized junk code, renames identifiers, shuffles function order, and normalizes line endings to frustrate pattern-matching.
  • Capabilities (excerpt): async network scanning, default-credential checks, payload delivery/execution, data exfil, screen/audio capture, encryption, mining, keylogging, and a Discord-like command bot with handlers such as /encrypt, /screenshot, /upload, /xworm, /keylog_start, etc.

Detection & hunting ideas (MITRE ATT&CK mapping)

  • Initial Access / Execution: unsigned scripts and Python invocations spawning unusual child processes (T1059.006: Scripting).
  • Defense Evasion: runtime code modification and obfuscation (T1027), in-memory execution (T1620).
  • Discovery/Lateral Movement: socket scans and credential tests (T1046, T1110).
  • Collection/Exfiltration: screen/audio capture and file staging (T1113, T1123, T1560).
  • C2: bot-command patterns over Discord-like channels; monitor for API tokens/webhooks (T1071.001).

Practical mitigations

  • Script control: block or restrict Python execution paths (AppLocker/WDAC), especially in user profiles.
  • EDR analytics: alert on Python processes reading their own source, performing mass XOR, inspect.getsource() usage chained to exec().
  • Network: egress filtering for collaboration/messaging APIs not used by the org; SSL inspection with domain allowlists.
  • Email & web: block HTA/ZIP/LNK/JS loaders that often deliver commodity RATs.
  • Credential hygiene: disable default creds on exposed services; enforce MFA on admin paths.
  • ThrTL;DR
  • A new Python RAT spotted on VirusTotal uses self-modifying code and polymorphic transformations (e.g., junk-code injection, variable shuffling) to evade signatures; despite low initial detections (2/64), its capabilities span file encryption, cryptomining, Discord-style bot control, and lateral spread—making behavior-based detections, script control, and EDR telemetry essential.
  • What happened
  • SANS Internet Storm Center (ISC) handler Xavier Mertens analyzed a Python RAT uploaded to VirusTotal with functions like self_modifying_wrapper(), decrypt_and_execute(), and polymorph_code(). The sample (SHA256: 7173e20e7ec217f6a1591f1fc9be6d0a4496d78615cc5ccdf7b9a3a37e3ecc3c) reportedly scored 2/64 on first pass, indicating weak static detections when it was submitted.
  • Why it matters
  • Polymorphism in scripting languages lets commodity RATs sidestep signature-based AV/IDS. By altering source at runtime (e.g., XOR “packing,” junk insertion, random renaming), the same core behaviors can persist while hashes and simple string indicators change—driving up false negatives for static tools and pushing defenders toward telemetry- and behavior-centric controls.
  • Technical highlights
  • Self-modifying wrapper: Reads function source (via Python’s inspect module), XORs it, and executes after unpacking in memory—mimicking a packer in Python.
  • Polymorphic transformer: Injects randomized junk code, renames identifiers, shuffles function order, and normalizes line endings to frustrate pattern-matching.
  • Capabilities (excerpt): async network scanning, default-credential checks, payload delivery/execution, data exfil, screen/audio capture, encryption, mining, keylogging, and a Discord-like command bot with handlers such as /encrypt, /screenshot, /upload, /xworm, /keylog_start, etc.
  • Detection & hunting ideas (MITRE ATT&CK mapping)
  • Initial Access / Execution: unsigned scripts and Python invocations spawning unusual child processes (T1059.006: Scripting).
  • Defense Evasion: runtime code modification and obfuscation (T1027), in-memory execution (T1620).
  • Discovery/Lateral Movement: socket scans and credential tests (T1046, T1110).
  • Collection/Exfiltration: screen/audio capture and file staging (T1113, T1123, T1560).
  • C2: bot-command patterns over Discord-like channels; monitor for API tokens/webhooks (T1071.001).
  • Practical mitigations
  • Script control: block or restrict Python execution paths (AppLocker/WDAC), especially in user profiles.
  • EDR analytics: alert on Python processes reading their own source, performing mass XOR, inspect.getsource() usage chained to exec().
  • Network: egress filtering for collaboration/messaging APIs not used by the org; SSL inspection with domain allowlists.
  • Email & web: block HTA/ZIP/LNK/JS loaders that often deliver commodity RATs.
  • Credential hygiene: disable default creds on exposed services; enforce MFA on admin paths.
  • Threat intel: track the sample hash and YARA for behavioral strings; pivot on Discord bot artifacts from the diary.
  • References
  • SANS ISC diary: “Polymorphic Python Malware” by Xavier Mertens (published Oct 8, 2025).
  • ISC front page confirming it as Top Story (context).
  • ISC/X post pointing to the diary (signal boost / provenance).eat intel: track the sample hash and YARA for behavioral strings; pivot on Discord bot artifacts from the diary.

References

  • SANS ISC diary: “Polymorphic Python Malware” by Xavier Mertens (published Oct 8, 2025).
  • ISC front page confirming it as Top Story (context).
  • ISC/X post pointing to the diary (signal boost / provenance).

Comments

Leave a comment