New Malware Goes Modular

Thursday, April 21, 2016 @ 03:04 PM gHale


A new malware family coded in Python can execute a broad range of attacks via its modular architecture, researchers said.

Called PWOBot, the malware started appearing at multiple European organizations during mid-to-late 2015.

RELATED STORIES
New Ransomware Steals Bitcoin, Passwords
Website Ransomware Not Viable – Yet
Millions of Devices Face Ransomware
Another Ransomware Recovery Mode

“The malware has been witnessed affecting a number of Europe-based organizations, particularly in Poland,” said Palo Alto Network’s Josh Grunzweig. “Additionally, the malware is delivered via a popular Polish file-sharing web service.”

Until now, only the following organizations have faced a PWOBot infection: A Polish national research institution, a Polish shipping company, a large Polish retailer, a Polish information technology organization, a Danish building company, and a French optical equipment provider.

All infections happened after employees of these companies downloaded files off a Polish file hosting service (chomikuj.pl).

An investigation carried out by Palo Alto researchers also brought to light attacks dating back as far as 2013.

The malicious files were generic executables compiled via the PyInstaller package that takes basic Python code and packages it as a binary.

Until now, Palo Alto said it has only seen PWOBot packed as a Windows executable, but Python is a platform-agnostic language, and PyInstaller can also generate binaries for Linux, Mac OS X, FreeBSD, Solaris, and AIX.

Not all PWOBot infections were all the same. Researchers actually found 12 different versions. PWOBot’s modular architecture is the reason for this large number of different versions.

Some PWOBot modules can download and execute other binaries, launch an HTTP server, log keystrokes, execute custom Python code, query remote URLs and return results, and also mine for Bitcoin using the victim’s CPU or GPU.

All outgoing traffic tunnels via Tor and uses encryption to avoid detection by security products.

“While it has historically been seen affecting Microsoft Windows platforms, since the underlying code is cross-platform, it can easily be ported over to the Linux and OSX operating systems,” Grunzweig said in a post. “That fact, coupled with a modular design, makes PWOBot a potentially significant threat.”