A strain of malicious code written entirely in Python, dubbed PWOBot, has been discovered infecting a number of organisations based in Europe, specifically in Poland.
Palo Alto Networks found that PWOBot uses a modular design allowing it to carry out different attacks in a wealth of functionalities that include logging keystrokes, executing files, executing arbitrary Python code and communication with a remote server. The malware has been attacking since the end of 2013 in at least 12 different variants.
Some distribution routes of the malware include a Polish file-sharing web service known as chomikuj.pl, a Polish national research institution, a Polish shipping company, a Polish retailer, a Polish info tech organisation, a Danish building company and a French optical equipment provider.
“It is unclear how this malware was originally delivered to the end-user. Inferences can be made based on the filenames witnessed, as this malware may have been delivered to end-users who believed they were downloading other software. Alternatively, it's possible that phishing attacks were used in order to entice victims into downloading these files,” Palo Alto's blog noted. The malware family has not previously been disclosed to the public.
The PWOBot uses the Tor network to communicate with remote servers, which could assist organisations in spotting it on their systems. “While (Tor) provides both encryption and anonymity, it also should raise alert's to an organisation's network administrators if viewed, as such traffic likely violates said organisation's policies,” Palo Alto said.