RansomHub Affiliate Deploys Python-Based Backdoor for Stealth Attacks

Summary

In Q4 2024, GuidePoint Security uncovered a significant incident involving a Python-based backdoor used by a threat actor to maintain persistent access to compromised endpoints. This access was later exploited to deploy RansomHub encryptors across the affected network, causing widespread disruption. Earlier in the year, ReliaQuest had analyzed and documented an earlier version of this backdoor on their platform in February 2024.

The version identified by GuidePoint featured several notable advancements compared to its predecessor. The backdoor utilized obfuscation techniques sourced from PyObfuscate[.]com, significantly complicating its analysis and detection. It was deployed through lateral movement facilitated by Remote Desktop Protocol (RDP), highlighting a strategic approach to spreading malware within the network.

Furthermore, unique indicators of compromise were identified, including specific filenames, scheduled task names, and command-and-control (C2) addresses that offered crucial insights into the threat actor’s operations. The investigation also revealed 18 IP addresses tied to the malware’s C2 infrastructure, emphasizing the scale of its network capabilities.

Technical Detail

GuidePoint Security's investigation revealed a connection between the SocGholish (FakeUpdate) framework and the initial access phase of the incident, similar to findings previously reported by ReliaQuest. In this case, the Python-based backdoor was deployed approximately 20 minutes after the initial compromise. Following this, the threat actor expanded their foothold by deploying additional instances of the backdoor during lateral movement facilitated through RDP sessions.

The threat actor followed a methodical process to install Python and establish the backdoor across all affected systems. This involved moving to the designated target directory, installing Python, setting up PIP along with the necessary libraries, deploying a Python proxy script, and achieving persistence through the creation of Windows scheduled tasks. Notably, the process used to deploy the backdoor on systems accessed via lateral movement was nearly identical to the steps used during the initial compromise linked to SocGholish.

This consistency in deployment suggests that the Python-based backdoor is more likely a distinct second-stage payload distributed through SocGholish rather than a module integrated within it. This highlights the threat actor's strategic separation of tools to maintain operational flexibility and ensure the reliability of their payload delivery mechanisms.

The Python script functions as a reverse proxy, connecting to a hardcoded IP and establishing a SOCKS5-based tunnel after an initial C2 handshake. This enables the threat actor to move laterally within the network using compromised systems as proxies. Another version of the malware, uploaded to VirusTotal on September 6, 2024, exhibited no detections and had minor surface-level changes, primarily due to obfuscation likely sourced from PyObfuscate[.]com. The script, first observed on December 6, 2023, remains functionally consistent, with updates aimed at evading detection. Once de-obfuscated, the code appears polished, well-structured, and likely AI-assisted, featuring descriptive methods, robust error handling, and detailed debug logs. Unlike earlier iterations, the obfuscated versions hardcode key variables rather than accepting them as arguments.

Analysis of the network traffic confirmed the behavior of the Python-based malware. During testing with a live C2 server, the script established a connection and initially received two bytes, 22 2A, in little-endian format, translating to the decimal port value 10786. Subsequent connections from the infected system targeted this specific port, validating the malware's functionality. The second TCP session revealed the use of a SOCKS5-like tunnel, with the traffic containing a tunneled HTTP request and response. The target address in this session was a Google IP, 142.250.68[.]110, with a destination port of 80. This behavior aligns with the malware’s design to facilitate lateral movement and network tunneling through compromised systems.

Recommendation

1. Restrict lateral movement by segmenting the network and limiting access between sensitive and non-sensitive systems. Use strict access controls to minimize the risk of propagation.

2. Deploy advanced EDR solutions capable of detecting obfuscated scripts, anomalous network traffic, and unauthorized lateral movement. Ensure these solutions are updated regularly to identify new threats, such as the Python backdoor and RansomHub encryptors.

3. Implement deep packet inspection (DPI) and traffic analysis to detect unusual patterns, such as connections to unknown IPs or SOCKS5-like tunnels. Investigate anomalies promptly to mitigate potential breaches.

4. Disable unnecessary RDP access and enforce strong authentication mechanisms, such as multi-factor authentication (MFA). Use monitoring tools to track RDP usage and detect unauthorized sessions.

Conclusion

The analysis of the Python-based backdoor highlights its sophisticated design, adaptability, and role in enabling large-scale attacks. By establishing a SOCKS5-like tunnel, the malware facilitates lateral movement and uses compromised systems as proxies, showcasing the threat actor's operational expertise. Combined with the deployment of RansomHub encryptors across the impacted network, this incident underscores the severe impact such tools can have when used together. The use of advanced obfuscation techniques, AI-assisted coding patterns, and strategic deployment further illustrates the actor’s efforts to evade detection.