Cybersecurity researchers have identified a sophisticated new Python-based malware that utilizes advanced process injection techniques to hide within legitimate Windows binaries. This emerging threat exemplifies a new generation of fileless attack strategies, blending multi-layer obfuscation with trusted system utilities to evade traditional security defenses. The malware’s ability to masquerade as harmless files while deploying a full Python runtime environment represents a significant advancement, challenging current detection methods.
Security analysts at K7 Labs recently discovered this novel threat during a routine analysis. The malware comprises a substantial 65 MB file, largely composed of filler data, with a small, valid marshalled .pyc fragment concealed at the end. This fragment contains the core malicious code responsible for injecting malicious processes into legitimate Windows executables. The sample exhibits several advanced functionalities, including multi-layer encoding, archive type masquerading, and the bundling of a Python runtime within a seemingly legitimate, signed executable.
New Python Malware Leverages Process Injection for Stealth
The K7 Labs team noted that the malware’s impact extends beyond the initial infection. It establishes persistent command-and-control (C2) communications that remain active even after the original loader terminates. The infection chain commences with a PE dropper that reconstructs a batch script through runtime decryption, employing SIMD operations. This script then drops a file named `config.bat` into the public user directory. Subsequently, this script downloads a file disguised as a PNG image from cloud storage.
In reality, this file is a RAR archive, a simple yet effective ruse to bypass security filters that typically treat image files as benign. The batch script then extracts this archive using the built-in `tar` command, revealing three key components: `AsusMouseDriver.sys` (a password-protected RAR masquerading as a system file), `Interput.json` (renamed to `Install.bat`), and a legitimate WinRAR executable used for further unpacking.
Once executed, the Python interpreter processes command-line arguments “dcconsbot” and “dcaat” to initiate a complex de-obfuscation chain. This process involves Base64 decoding, BZ2 decompression, Zlib decompression, and finally, marshal loading. This sequence reconstructs the compiled Python bytecode directly in memory. This reconstructed code then targets `cvtres.exe`, a legitimate Microsoft resource conversion utility, for process injection.
Infection Mechanism Deep Dive
The core infection mechanism employed by this Python malware utilizes a carefully orchestrated, multi-stage extraction process. This demonstrates the attackers’ thorough understanding of Windows internals and the behavior of common security tools. Following the initial execution of the PE dropper, the `config.bat` script establishes `C:DragonAntivirus` as a working directory before initiating the download of the disguised archive.
The `Install.bat` script then renames the bundled WinRAR executable and leverages it to extract the password-protected `AsusMouseDriver.sys` archive, using a hardcoded password, into the `C:UsersPublicWindowsSecurityA` directory. This directory subsequently houses a fake `ntoskrnl.exe` (which is actually a bundled Python runtime) and the `Libimage` blob containing the obfuscated payload.
To distract the user, a decoy PDF document is opened, allowing the malicious code to execute silently in the background. The malware parses the image file through its layered de-obfuscation routine before injecting itself into `cvtres.exe`. Following successful injection, it establishes encrypted C2 communications. The malware’s capability to reside within legitimate Microsoft processes while maintaining encrypted communication channels makes it particularly perilous for enterprise environments, as traditional signature-based detection methods may prove insufficient in identifying this sophisticated threat.
The ongoing evolution of malware tactics, particularly the use of legitimate binaries for malicious purposes, underscores the need for advanced threat detection solutions. Organizations are advised to monitor for unusual process behavior and ensure their security software is up-to-date to counter such sophisticated evasion techniques.