BleepingComputer reports that Windows systems are being compromised in phishing attacks using the new Python-based remote access trojan PY#RATION.
Phishing emails having password-protected ZIP file attachments with image-spoofing LNK files are being leveraged to facilitate the distribution of the PY#RATION malware, which exploits the WebSocket protocol for command-and-control server communications and data exfiltration activities, a report from Securonix showed.
Deploying the attached LNK files would prompt C2 communication and the download of TXT files that trigger malware execution after being renamed to BAT files. After establishing "Cortana" and "Cortana/Setup" directories, PY#RATION proceeds to maintain persistence by updating the startup directory to include a batch file.
Securonix researchers discovered that aside from enabling network enumeration, PY#RATION version 1.6.0 also allows file transfers between breached systems and C2 and vice versa, keylogging, shell command execution, host enumeration, web browser cookie and password extraction, clipboard data exfiltration, and anti-virus tool detection.
All PY#RATION malware versions were observed to use the same C2 address.
Ukraine has been targeted by Russian threat actors in the new Operation Texontodisinformation campaign that also involved spear-phishing and credential exfiltration tactics, according to The Hacker News.
Record high ransomware and data extortion incidents experienced by Western nations last year have prompted former National Security Agency Director Michael Rogers to call for a reevaluation of their cybersecurity defense strategy.