RansomHub Affiliate leverages Python-based backdoor

Jan. 16, 2025, 6:51 p.m.

Description

A threat actor utilized a Python-based backdoor to maintain access to compromised endpoints, later deploying RansomHub encryptors across the impacted network. The malware, an updated version of a previously documented backdoor, features obfuscation, deployment via RDP, and unique indicators of compromise. Initial access was linked to SocGholish (FakeUpdate), followed by the installation of Python and the backdoor on multiple systems. The script functions as a reverse proxy, establishing a SOCKS5-like tunnel for lateral movement. The code's polished nature suggests possible AI-assisted creation. The C2 process involves multiple steps, including hardcoded IP addresses and port assignments. This incident highlights ransomware affiliates' continued use of Python backdoors for persistence and evasion, as well as the potential adoption of AI-assisted code in malware development.

External References

https://www.guidepointsecurity.com/blog/ransomhub-affiliate-leverage-python-based-backdoor/
https://otx.alienvault.com/pulse/67893c57a4f5f2fecf3bd209
Tags
obfuscation
ransomware
socgholish
lateral movement
ransomhub
python backdoor
c2 infrastructure
socks5
2025-01-16
reverse proxy

Date

  • Created: Jan. 16, 2025, 5:05 p.m.
  • Published: Jan. 16, 2025, 5:05 p.m.
  • Modified: Jan. 16, 2025, 6:51 p.m.

Indicators

  • 5089fd6ce6d8c0fca8d9c4af7441ee9198088bfba6e200e27fe30d3bc0c6401c
  • 92.118.112.143
  • 92.118.112.208
  • 88.119.175.70
  • 88.119.175.65
  • 173.44.141.226
Download all indicators here!

Attack Patterns

  • RansomHub
  • SocGholish
  • RansomHub
  • T1021.001
  • T1059.006
  • T1053.005
  • T1571
  • T1204.002
  • T1105
  • T1219
  • T1027
  • T1133
  • T1090