I don't know if there is a trend but I recently found some malicious Python scripts (targeting Windows hosts) that include a GUI. They don't try to hide from the victim but, on the opposite, they try to make them confident. One example was the game[1] combined with an infostealer.

Yesterday, I found another one that mimicks an MP3 player:

This is very easy to do in Python, create a TK GUI and use pygame[2] to handle the MP3 files:

pygame.mixer.music.load(selected_music)
pygame.mixer.music.play()

This simple MP3 player has a gift for you: It includes a keylogger based on another popular library: pynput[3]. All recorded keystrokes are sent to a simple TCP connection established with the C2. There is no encryption, nothing. Just raw keycodes are sent.

This is a perfect opportunity to show you how powerful keyloggers are. Even, if you use robust passwords, everything is exfiltrated to the attacker's computer. I made a quick video to demonstrate how it works[4]. I just modified the C2 details to match my lab and let's play some music:

The Python script (SHA256:4f6388fa03aaff486886ca09bc1047b109c92451618d90b4aaef2e89ce14a0af) has a very low VT detection score (2/61)[5].

[1] https://isc.sans.edu/diary/Shall+We+Play+a+Game/30510
[2] https://pypi.org/project/pygame/
[3] https://pypi.org/project/pynput/
[4] https://youtu.be/4fViSafrjnY
[5] https://www.virustotal.com/gui/file/4f6388fa03aaff486886ca09bc1047b109c92451618d90b4aaef2e89ce14a0af/details

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key