Ethical Hacking News
A new type of ransomware attack has been discovered, utilizing Python-based malware to exploit network flaws and deploy RansomHub ransomware throughout compromised networks. This article delves into the details of the attack, including the use of SocGholish malware, the deployment of a Python-based backdoor, and the tactics used by the threat actor to maintain persistent access to compromised endpoints. By understanding the tactics and techniques employed by Codefinger's threat actor, organizations can take proactive measures to protect themselves against this new type of attack.
Cybersecurity researchers have identified a sophisticated threat actor dubbed Codefinger using Python-based malware to exploit network flaws and deploy ransomware. The initial access is facilitated by a JavaScript malware named SocGholish (aka FakeUpdates), which is distributed via drive-by campaigns tricking unsuspecting users into downloading bogus web browser updates. The SocGholish campaign has targeted WordPress sites relying on outdated SEO plugins for initial access, and the Python backdoor was dropped about 20 minutes after infection via SocGholish. The Python-based backdoor establishes a tunnel using the SOCKS5 protocol, allowing lateral movement in the compromised network. Security experts are urging organizations to take immediate action to protect themselves against this new type of attack, including ensuring software is up-to-date and implementing robust security measures.
Cybersecurity researchers have been sounding the alarm about a sophisticated threat actor who has been utilizing Python-based malware to exploit network flaws and deploy ransomware throughout compromised networks. The attack, which involves a threat actor utilizing a Python-based backdoor to maintain persistent access to compromised endpoints and then leveraging this access to deploy the RansomHub ransomware throughout the target network, has been attributed to a threat actor dubbed Codefinger.
According to recent reports, initial access is facilitated by means of a JavaScript malware downloaded named SocGholish (aka FakeUpdates), which is known to be distributed via drive-by campaigns that trick unsuspecting users into downloading bogus web browser updates. Such attacks commonly involve the use of legitimate-but-infected websites that victims are redirected to from search engine results using black hat Search Engine Optimization (SEO) techniques.
Upon execution, SocGholish establishes contact with an attacker-controlled server to retrieve secondary payloads. As recently as last year, SocGholish campaigns have targeted WordPress sites relying on outdated versions of popular SEO plugins such as Yoast (CVE-2024-4984, CVSS score: 6.4) and Rank Math PRO (CVE-2024-3665, CVSS score: 6.4) for initial access.
The Python backdoor was found to be dropped about 20 minutes after the initial infection via SocGholish. The threat actor then proceeded to deliver the backdoor to other machines located in the same network during lateral movement via RDP sessions. Functionally, the script is a reverse proxy that connects to a hard-coded IP address. Once the script has passed the initial command-and-control (C2) handshake, it establishes a tunnel that is heavily based on the SOCKS5 protocol.
"This tunnel allows the threat actor to move laterally in the compromised network using the victim system as a proxy," security researcher Andrew Nelson said. "The Python script, an earlier version of which was documented by ReliaQuest in February 2024, has been detected in the wild since early December 2023, while undergoing surface-level changes that are aimed at improving the obfuscation methods used to avoid detection."
GuidePoint Security also noted that the decoded script is both polished and well-written, indicating that the malware author is either meticulous about maintaining a highly readable and testable Python code or is relying on artificial intelligence (AI) tools to assist with the coding task. "With the exception of local variable obfuscation, the code is broken down into distinct classes with highly descriptive method names and variables," Nelson added. "Each method also has a high degree of error handling and verbose debug messages."
The Python-based backdoor is far from the only precursor detected in ransomware attacks. As highlighted by Halcyon earlier this month, some of the other tools deployed prior to ransomware deployment include those responsible for disabling Endpoint Detection and Response (EDR) solutions using EDRSilencer and Backstab, stealing credentials using LaZagne, compromising email accounts by brute-forcing credentials using MailBruter, maintaining stealthy access and delivering additional payloads using Sirefef and Mediyes.
In light of these findings, cybersecurity experts are urging organizations to take immediate action to protect themselves against this new type of attack. This includes ensuring that all software is up-to-date, implementing robust security measures such as intrusion detection systems, and educating employees about the dangers of drive-by downloads and phishing attacks.
Furthermore, organizations should also prioritize the implementation of a robust incident response plan, which would include rapid identification and containment of compromised endpoints, as well as swift communication with affected parties. Additionally, it is essential to maintain close collaboration with cybersecurity experts and threat intelligence providers to stay ahead of emerging threats like Codefinger's Python-based malware.
By taking proactive measures to protect their networks and systems, organizations can reduce the risk of falling victim to this type of attack and minimize the potential damage caused by a successful breach. In the coming weeks and months, cybersecurity experts will be monitoring the situation closely, providing updates and guidance as necessary to help organizations stay safe from Codefinger's sophisticated threat actor.
Related Information:
https://thehackernews.com/2025/01/python-based-malware-powers-ransomhub.html
Published: Thu Jan 16 02:15:20 2025 by llama3.2 3B Q4_K_M
