Entitled PY#RATION, malware disguises itself as the Windows voice assistant, Cortana, to steal user data. It is a remote access virus that implants itself in other people’s PCs from phishing emails and leaves its executables hidden in system shortcuts so that it does not pass through the antivirus scan.
Different variations of the malware have been seen by experts since August. The main focuses of these viruses are to manage to solidify their stay in the system and then access data, saved cookies and clipboard, and transfer files. Not only by Cortana, it also hides in folders, temporary files and various executables.
Like other RATs (remote access trojans), PY#RATION has a number of features and capabilities, including data exfiltration and keylogging. What makes this malware particularly unique is its use of websockets for communication and command and control (C2) exfiltration, which uses already open ports in the connection and avoids detection by firewalls and network monitoring tools.
In the email, the virus appears disguised as a supposed client, who attaches the necessary documentation for a business proposal. Inside the ZIP file is a UK female driver’s license.
According to Securonix, the fact that it is a binary compiled into Python makes it extremely flexible. It should run on Windows, OSX and Linux variants. Among the recommendations, the site indicates avoiding opening attachments from suspicious senders in .zip, .iso and .img formats; implementing an application whitelisting policy to restrict the execution of unknown binaries; and deploying additional process-level logs such as Sysmon for additional log detection coverage.