Cybersecurity researchers have detailed an attack that involved a threat actor utilizing a Python-based backdoor to maintain persistent access to compromised endpoints and then leveraged this access to deploy the RansomHub ransomware throughout the target network.
According to GuidePoint Security, initial access is said to have been facilitated by means of a JavaScript malware downloaded named SocGholish (aka FakeUpdates), which is known to be distributed via drive-by campaigns that trick unsuspecting users into downloading bogus web browser updates.
Such attacks commonly involve the use of legitimate-but-infected websites that victims are redirected to from search engine results using black hat Search Engine Optimization (SEO) techniques. Upon execution, SocGholish establishes contact with an attacker-controlled server to retrieve secondary payloads.
As recently as last year, SocGholish campaigns have targeted WordPress sites relying on outdated versions of popular SEO plugins such as Yoast (CVE-2024-4984, CVSS score: 6.4) and Rank Math PRO (CVE-2024-3665, CVSS score: 6.4) for initial access.
In the incident investigated by GuidePoint Security, the Python backdoor was found to be dropped about 20 minutes after the initial infection via SocGholish. The threat actor then proceeded to deliver the backdoor to other machines located in the same network during lateral movement via RDP sessions.
“Functionally, the script is a reverse proxy that connects to a hard-coded IP address. Once the script has passed the initial command-and-control (C2) handshake, it establishes a tunnel that is heavily based on the SOCKS5 protocol,” security researcher Andrew Nelson said.
“This tunnel allows the threat actor to move laterally in the compromised network using the victim system as a proxy.”
The Python script, an earlier version of which was documented by ReliaQuest in February 2024, has been detected in the wild since early December 2023, while undergoing “surface-level changes” that are aimed at improving the obfuscation methods used to to avoid detection.
GuidePoint also noted that the decoded script is both polished and well-written, indicating that the malware author is either meticulous about maintaining a highly readable and testable Python code or is relying on artificial intelligence (AI) tools to assist with the coding task.
“With the exception of local variable obfuscation, the code is broken down into distinct classes with highly descriptive method names and variables,” Nelson added. “Each method also has a high degree of error handling and verbose debug messages.”
The Python-based backdoor is far from the only precursor detected in ransomware attacks. As highlighted by Halcyon earlier this month, some of the other tools deployed prior to ransomware deployment include those responsible for –
- Disabling Endpoint Detection and Response (EDR) solutions using EDRSilencer and Backstab
- Stealing credentials using LaZagne
- Compromising email accounts by brute-forcing credentials using MailBruter
- Maintaining stealthy access and delivering additional payloads using Sirefef and Mediyes
Ransomware campaigns have also been observed targeting Amazon S3 buckets by leveraging Amazon Web Services’ Server-Side Encryption with Customer Provided Keys (SSE-C) to encrypt victim data. The activity has been attributed to a threat actor dubbed Codefinger.
Besides preventing recovery without their generated key, the attacks employ urgent ransom tactics wherein the files are marked for deletion within seven days via the S3 Object Lifecycle Management API to pressurize victims into paying up.
“Threat actor Codefinger abuses publicly disclosed AWS keys with permissions to write and read S3 objects,” Halcyon said. “By utilizing AWS native services, they achieve encryption in a way that is both secure and unrecoverable without their cooperation.”
The development comes as SlashNext said it has witnessed a surge in “rapid-fire” phishing campaigns mimicking the Black Basta ransomware crew’s email bombing technique to flood victims’ inboxes with over 1,100 legitimate messages related to newsletters or payment notices.
“Then, when people feel overwhelmed, the attackers swoop in via phone calls or Microsoft Teams messages, posing as company tech support with a simple fix,” the company said.
“They speak with confidence to gain trust, directing users to install remote-access software like TeamViewer or AnyDesk. Once that software is on a device, attackers slip in quietly. From there, they can spread harmful programs or sneak into other areas of the network, clearing a path straight to sensitive data.”
