GuidePoint warns of Python backdoor used in ransomware

GuidePoint Security has identified an instance of a threat actor utilising a Python-based backdoor to maintain access to compromised endpoints and deploy RansomHub encryptors across affected networks.

During an incident response in the fourth quarter of 2024, GuidePoint Security found evidence of a threat actor using a Python-based backdoor for persistent access. This was followed by the deployment of RansomHub encryptors on the compromised network. Andrew Nelson, Principal Digital Forensics and Incident Response Consultant at GuidePoint Security, stated that the threat actor used the backdoor to establish a foothold and spread the encryptors.

ReliaQuest first documented the backdoor in question in an earlier version in February 2024, but GuidePoint noted specific updates in the newer version. Notably, these include using obfuscation from PyObfuscate, deployment via Remote Desktop Protocol lateral movement, and unique indicators of compromise such as specific filenames, task names, and command-and-control addresses.

GuidePoint has identified 18 IP addresses that form part of the Python backdoor's command-and-control infrastructure. These will be shared with DrB_RA on GitHub under "Ransomhub Python C2" within the C2IntelFeeds project.

The initial access was linked to SocGholish (FakeUpdate), which is similar to previous findings by ReliaQuest. The Python backdoor was deployed approximately 20 minutes following the initial infection, and later installations occurred during lateral movements via Remote Desktop Protocol sessions. The threat actor followed a systematic process to entrench the Python installation across all compromised systems, including downloading and setting up Python libraries and creating persistent scripts.

The Python script functions as a reverse proxy negotiating with a hardcoded IP address to establish a tunnel comparable to the SOCKS5 protocol. This enables lateral movement inside the compromised network.

Research into this software variant also revealed a version uploaded to VirusTotal on 6 September 2024, which remained undetected at the time of examination. The Python script was notably polished, hinting at a high level of coding proficiency or AI-assisted coding methods, as indicated by highly descriptive method names and error handling.

Command-and-control processes involve creating a TCP socket to establish a connection, idling for specific bytes, and eventually establishing a new connection and creating a SOCKS5-like tunnel. Notably, the script only supports TCP traffic and does not accommodate IPv6 addresses.

Network traffic examination confirmed the initial connection and subsequent actions, demonstrating the malware's SOCKS5-like tunnelling applied to HTTP traffic. This correspondence was observed with communications connecting to an IP address associated with Google and using destination port configurations.

GuidePoint asserts that ransomware affiliates continue exploiting Python-based backdoors for persistence and to circumvent security measures. There is an indication that AI-assisted code should be adopted for malware development and maintenance. Additional C2 addresses linked to these backdoors have been recognised, and information about them will be disseminated through GitHub feeds from DrB_RA and GuidePoint.