This week I already wrote a diary about "code reuse" in the malware landscape but attackers also have plenty of tools to generate new samples on the fly. When you received a malicious Word documents, it has not been prepared by hand, it has been for sure automatically generated. Except if you're a "nice" target for attackers and victim of some kind of "APT". The keyword here is "automation". If defenders try to automate as much as possible, attackers too!
Today, Discord is often used by attackers as a nice C2 server and we can find plenty of Python malware that interact with Discord. Most of them are info stealers. I already found plenty of such scripts but today I spotted something else. A script to generate your own RAT ("Remote Access Tool"). The script has a VT score of 7/56 (SHA256:f13433cc26702e7b6116e36629625cc798d0ad4b26aa782a551a38ec3dc8ab23). I had to fine tune a bit the script to make it work in my sandbox but the usage is pretty simple:
The script is very simple, it contains the RAT standard code and the provided token is injected into it:
file.write("""import winreg import ctypes import sys import os import ssl import random import threading import time import cv2 import subprocess import discord from comtypes import CLSCTX_ALL from discord.ext import commands from ctypes import * import asyncio import discord from discord import utils token = '~~TOKENHERE~~' global appdata appdata = os.getenv('APPDATA') client = discord.Client() bot = commands.Bot(command_prefix='!') ... ... """.replace("~~TOKENHERE~~", tokenbot))
You can see that the script asks if the script must be compiled. This is achieved using the pyinstaller module.Once completed, you will have a fully standalone PE file ready to be sent to your victims. I uploaded my sample to VT and it got a score of 10/67, not so bad from an attacker's point of view.
Here is a quick overview of the supported bot commands:
Xavier Mertens (@xme)
Jan 7th 2022
|Thread locked Subscribe||
Jan 7th 2022
8 months ago