RansomHub infection facilitated by possible AI-assisted Python backdoor
January 16, 2025 – Published on SC Media
A suspected RansomHub affiliate has used a novel Python backdoor to establish persistence on a victim’s network in an incident, as documented by GuidePoint Security.
The Python backdoor code showed signs of potential AI-assisted coding, researchers said in a GuidePoint Security GRIT blog post published Wednesday. The malware was spread laterally across the victim’s network via the use of Remote Desktop Protocol (RDP) sessions, after initial access was made via a suspected SocGholish malware download.
GuidePoint noted that ReliaQuest had previously discovered a link between SocGholish infection and an earlier version of the backdoor. In the incident observed by GuidePoint, this attack chain concluded with the deployment of RansomHub encryptors across the entire network.
The backdoor malware showed some changes since it was first seen by ReliaQuest in February 2024, including obfuscation by the Pyobfuscate tool, the use of RDP for lateral network infections and new C2 addresses used by the attacker. Eighteen IP addresses linked to the backdoor’s C2 infrastructure, which appeared to still be active at the time of the blog’s publication, were identified by GuidePoint. The researchers said they will continue to document IP addresses associated with the backdoor via C2IntelFeeds.
Read More HERE.