A new Python-based backdoor has been discovered by Andrew Nelson, Principal Digital Forensics and Incident Response Consultant at GuidePoint Security, shedding light on the tactics employed by ransomware gangs, particularly RansomHub affiliates. This sophisticated backdoor, potentially developed using AI, serves as a critical tool for infiltrating and maintaining access to compromised networks.
RansomHub, a Ransomware-as-a-Service operation that emerged in February 2024, has quickly made a name for itself in the cybercrime landscape. With its attractive 90/10 payment split for affiliates, allowing them to keep 90% of ransom payments, RansomHub has become a formidable threat to organizations worldwide. Affiliates of RansomHub utilize ransomware developed in Golang and C++, supporting various platforms such as Windows, Linux, and ESXi, and employing strong encryption algorithms like AES256, ChaCha20, and XChaCha20.
The newly discovered Python-based backdoor is deployed through Remote Desktop Protocol (RDP) lateral movement, enabling attackers to embed themselves within a victim’s network and execute RansomHub encryptors across compromised systems. This tool, which is polished, functional, and heavily obfuscated using techniques from PyObfuscate.com, aims to evade detection.
Unique indicators of compromise identified by GuidePoint Security in their review of the backdoor include obfuscated filenames and scheduled task names, command-and-control (C2) addresses, and the precise use of the SOCKS5 protocol for establishing persistent, tunneled connections.
Analysis conducted by GuidePoint Security suggests that the quality of the backdoor’s malware code hints at AI-assisted development. The Python code exhibits structured classes, descriptive variable names, and comprehensive error handling, characteristics often associated with AI-generated code. Despite the obfuscation, the code remains readable and testable after de-obfuscation, indicating the level of skill and resources involved in its creation.
The attack lifecycle initiated by RansomHub affiliates typically starts with SocGholish (FakeUpdate) malware for initial access. Once inside the network, the malicious actors quickly deploy the Python backdoor, escalating privileges and moving laterally. Key steps in this deployment process include installing Python and necessary libraries, setting up a reverse proxy script, and establishing persistence through Windows scheduled tasks. The backdoor acts as a reverse proxy, connecting to hardcoded C2 addresses and utilizing a SOCKS5-like tunnel for lateral movement, allowing attackers to stealthily access the network.
Continuously evolving, the latest version of the Python-based backdoor features enhancements such as hardcoded C2 variables, improved obfuscation methods, and a refined tunneling mechanism for TCP traffic. However, it remains limited to IPv4 and does not support IPv6. GuidePoint Security has identified 18 active IP addresses linked to the C2 infrastructure and has shared this information through a collaborative GitHub feed.
This development underscores the trend of ransomware groups incorporating AI and advanced scripting to enhance their tools. RansomHub affiliates display a high level of sophistication, from social engineering tactics for initial access to maintaining persistence with customized malware. Businesses are urged to strengthen their defenses by monitoring obfuscated scripts and unusual C2 traffic, providing employee training to combat social engineering attempts, and proactively utilizing threat intelligence feeds to identify known compromise indicators.
The discovery of this Python-based backdoor solidifies RansomHub’s standing as a significant threat in the ransomware domain. Its utilization of AI-driven development, advanced obfuscation, and functionality makes it a formidable weapon for affiliates. Security practitioners must remain vigilant, leveraging real-time intelligence and adaptive defenses to counter the evolving tactics of ransomware groups. Additional information, including associated C2 addresses and findings, is available on GuidePoint Security’s GitHub feed for community collaboration.