A new Python-based remote access trojan, dubbed PyRAT, has emerged, posing a significant threat to both Windows and Linux systems. This sophisticated malware is capable of extensive surveillance and data theft, operating through unencrypted HTTP channels to communicate with its command-and-control (C2) infrastructure. Security researchers at K7 Security Labs identified the threat, noting its cross-platform capabilities and the use of Python as its primary programming language, making it a versatile tool for cybercriminals.
Upon execution, PyRAT immediately begins fingerprinting the victim’s system. It collects crucial details such as the operating system type, hostname, and current username, transmitting this information to the attacker’s server. This initial data collection allows for the tracking of individual victims across multiple sessions, providing attackers with a persistent view of their compromised targets. The malware was discovered as an ELF binary on VirusTotal, a common platform for security analysis, hidden within a package created by PyInstaller version 2.1, utilizing Python 2.7.
Further analysis by K7 Security Labs revealed the malicious code concealed within a file named agent-svc.pyc. After extraction using specialized tools, security analysts uncovered the core remote access functionality organized within a single class labeled “Agent.” This class orchestrates all the trojan’s malicious operations, from initial system compromise to ongoing data exfiltration and surveillance.
PyRAT’s Cross-Platform Operation and Persistence
PyRAT demonstrates adaptive persistence mechanisms tailored to the operating system it infects. On Linux systems, the trojan establishes a seemingly innocuous autostart entry located at ~/.config/autostart/dpkgn.desktop. This file utilizes a name that mimics legitimate Debian package management tools, aiming to evade detection by system administrators and users. Crucially, this entry ensures automatic execution upon user login, allowing the malware to maintain a presence without necessarily requiring administrative privileges, which are more difficult to obtain stealthily.
In contrast, on Windows systems, PyRAT achieves persistence by adding a registry entry. This is typically done within the current user’s Run key, often under a nondescript name like “lee.” This method also ensures the malware automatically executes at system startup, leveraging user-level permissions to maintain its foothold without triggering elevated security alerts.
Command-and-Control Infrastructure and Communication
The trojan communicates with its command server using basic HTTP POST requests to specific endpoints. A significant vulnerability in its design is the use of unencrypted plain JSON format for transmitting system data. This lack of encryption makes the communication traffic highly susceptible to network monitoring and traffic analysis by security professionals. While the traffic is unencrypted, the malware does employ a semi-persistent identifier for tracking victims, created by combining the user’s username with their MAC address. This helps attackers maintain a consistent view of infected systems, even if some system configurations change.
PyRAT’s communication frequency is dynamic, adjusting based on the activity state of the infected system. During idle periods, the intervals between communication are extended to minimize network visibility. However, when the system is actively engaged or receiving commands, the trojan polls the C2 server rapidly, often every half second, to ensure prompt reception of new instructions. This adaptive behavior is designed to balance responsiveness with stealth.
Extensive Remote Access and Data Exfiltration Capabilities
The trojan boasts extensive file operation capabilities. It supports unrestricted file uploads and downloads, utilizing multipart form-data encoding for efficient transfer. PyRAT can enumerate entire directory structures, change the current working directory, and create ZIP archives for bulk data exfiltration. For compression, it employs the DEFLATE algorithm, a common and efficient method. This allows attackers to efficiently package and steal large volumes of sensitive data from compromised systems.
Beyond file operations, PyRAT includes a robust screenshot capture functionality. It utilizes the PIL’s ImageGrab module to record the entire screen content. The captured images are saved as temporary JPEG files and are automatically uploaded to the attacker’s server, providing visual intelligence on the user’s activities. To ensure continuous operation and responsiveness, all these operations are assigned to separate threads. This prevents any single task from blocking the main communication loop, guaranteeing that the trojan remains available to receive new commands while simultaneously executing ongoing tasks.
The ongoing development and deployment of such adaptable malware highlight the persistent threat posed by sophisticated remote access trojans. Security researchers will continue to monitor PyRAT for any new variants or targeted campaigns. Organizations and individuals should remain vigilant, employ robust endpoint security solutions, and ensure all systems are updated with the latest security patches to mitigate the risk of infection.