Post views: 1

“A new type of Trojan has entered the game that involves evading detection through advanced self-modification.”

The cybersecurity industry has been rocked by a recently discovered cyber threat, a Python-based remote access Trojan (RAT) called nirorat.py. Since the basic design of the malware relies on dynamic evasion, experts warn that it is a step forward in the arms race between hackers and defenders, rendering the majority of traditional signature-based antivirus software useless.

Using the SHA256 signature of 7173e20e7ec2l7f6a1591flfc9be6d0a4496d78615cc5ccdf7b9a3a37e3ecc3c, the RAT was uploaded to VirusTotal. The significantly lower detection metrics at this time demonstrate its potential for self-distortion.

Its use of powerful polymorphic (polymorphic) and self-modifying capabilities, which rely on skillful exploitation of Python’s runtime features, characterizes this “high-risk threat.”

Self-adaptive motor: electronic mask

Nirorats uses a clever “self-editing and packaging mechanism” at the heart of its avoidance process. This procedure aims to neutralize static analysis by ensuring that the malware file signature is unique every time it is executed.

The RAT begins by retrieving its source code as it runs using Python’s scanning module. Self_modifying_wrapper() is a function that treats its basic operations, such as the main payload, as data.

Next, it uses XOR encryption and a procedure that uses the zlib and marshal modules to mimic the compression/decompression cycle. The exec() function is then used to run the original source into memory.

By emulating the original software packer, this dynamic, trackable transformation ensures that each run appears as a distinct binary.

Code obfuscation in a polymorphic pipeline

In addition to changing its signature, Nirorat uses a powerful “Advanced Polymorphic Obfuscation Pipeline” to make machine and human analysis more difficult. The polymorph_code() function is used in this process, systematically destroying the structure and readability of the code.

It starts by randomly renaming each variable. It then injects unnecessary and non-functional code, or “junk snippets”, including arbitrary time, empty list comprehension, and unused methods. At random points, sleep() calls and empty try/exception blocks are made.

Finally, function definitions are extracted, shuffled, and recombined. It is practically difficult for a security analyst to follow the original logic of the code due to these structural changes, which hinder static analysis.

Wide attack surface

When Nirorat is running, the Trojan becomes fully operational remotely and gives attackers a lot of options. Malware has a broad “attack surface” that includes data exfiltration, command and control capabilities, and network deployment.

Its capabilities include

1. Network spread: Socket_network_scan() and Spread_to_network() are functions that allow lateral movement across a target’s internal systems.
2. parasitism: Attempts to use functions like test_default_credentials() to brute force network devices.
3. monitoring: Ability to record_screen_webcam(), take snapshot(), and record audio().
4. Command and control (C2): Features to collect system information, upload and download files, and run shell commands.
5. Unique feature: By integrating the Discord bot interface, the malware enables attackers to give commands. Notably, it contains the commands /xworm to drop a secondary payload from an external URL and /xworm to encrypt files, indicating the possibility of future ransomware.

Changes in defense and mitigation

Security advocates must shift from file signatures to behavioral analysis to confront this dynamic threat. Indicators of Compromise (IoCs) highlight specific observable actions:

1. Monitor Python processesDefenders need to monitor Python processes for unexpected use of marshal.loads() and dynamic calls to scan. getSource().
2. Behavioral red flags: Important indicators of compromise include random delays and frequent zlib module imports, which are symptoms of pipeline dumping and jamming.
3. Recommended action: To identify and stop this complex and multi-faceted malware, experts recommend performing comprehensive behavioral analysis at runtime in sandboxed environments as well as file integrity checks in Python scripts.

About the author

Suraj Kohli He is a content specialist in technical writing about cybersecurity and information security. He has written many great articles related to cyber security concepts, with the latest trends in cyber awareness and ethical hacking. Find out more about “He”.

Read more:

QR code erasure attack: Targeting Microsoft users

About the author