RansomHub Exploits Network Vulnerabilities with Python-Based Malware
Researchers at GuidePoint Security have uncovered a sophisticated attack leveraging a Python-based backdoor to establish persistent access to compromised systems, ultimately deploying the RansomHub ransomware across targeted networks.
The initial access was achieved via the SocGholish (FakeUpdates) JavaScript malware, distributed through drive-by campaigns that trick users into downloading fake browser updates. These campaigns often exploit legitimate websites infected through black hat SEO techniques.
SocGholish connects to attacker-controlled servers to retrieve additional payloads. Recent campaigns have exploited outdated SEO plugins like Yoast (CVE-2024-4984) and Rank Math PRO (CVE-2024-3665) on WordPress sites to gain entry, the Hacker News reports.
In the analyzed incident, the Python backdoor was dropped approximately 20 minutes after the initial infection and propagated laterally through Remote Desktop Protocol (RDP) sessions.
The backdoor functions as a reverse proxy, connecting to a hard-coded IP address and establishing a SOCKS5-based tunnel for lateral movement. This tunnel enables the threat actor to use the compromised system as a proxy for further network exploitation.
GuidePoint highlighted the backdoor’s polished, well-structured code, possibly crafted using artificial intelligence tools, emphasizing its advanced error handling and descriptive method design, indicative of a skilled or AI-assisted developer.
Takeaway: The Python-based backdoor is just one of many precursors observed in ransomware attacks. Another prominent tactic involves targeting Amazon S3 buckets by exploiting Amazon Web Services' Server-Side Encryption with Customer Provided Keys (SSE-C) to encrypt victims' data.
This method ensures that recovery is impossible without the decryption key controlled by the attackers. This activity has been attributed to a threat actor known as Codefinger, as reported by Halcyon researchers earlier this month.
Codefinger employs a variety of tools prior to ransomware deployment, including:
- EDRSilencer and Backstab: Tools designed to disable Endpoint Detection and Response (EDR) solutions
- LaZagne: A credential-stealing utility used to harvest sensitive information
- MailBruter: A brute-forcing tool aimed at compromising email accounts
- Sirefef and Mediyes: Malware that enables stealthy access and the delivery of additional payloads
Adding to the urgency, Codefinger employs ransom tactics that involve setting files for deletion within seven days using the S3 Object Lifecycle Management API, pressuring victims to comply with payment demands.
"Threat actor Codefinger abuses publicly disclosed AWS keys with permissions to read and write S3 objects," Halcyon explained. "By leveraging AWS native services, they achieve encryption in a manner that is both secure and unrecoverable without their cooperation."
Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more and check out the Halcyon Attacks Lookout resource site. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.
Related Posts
See Halcyon in action
Interested in getting a demo?
Fill out the form to meet with a Halcyon Anti-Ransomware Expert!