Python-based malware is powering a new wave of ransomware attacks, researchers report. The malware facilitates persistent access to networks, enabling the deployment of RansomHub ransomware across compromised systems.
The attack begins with SocGholish, a JavaScript-based malware, delivered through drive-by campaigns. Victims unknowingly download it via fake web browser update alerts on compromised websites. SocGholish communicates with attacker-controlled servers to retrieve additional malicious payloads.
Recent campaigns used outdated WordPress SEO plugins to gain initial access. Once SocGholish infiltrates a system, a Python-based backdoor is deployed within 20 minutes. This backdoor acts as a reverse proxy, connecting to attacker-controlled servers and establishing SOCKS5-based tunnels for lateral movement across the network.
Researchers noted the backdoor’s sophisticated design, featuring clear coding, error handling, and descriptive variable names. These characteristics suggest that the malware’s author relies on meticulous programming or AI tools to enhance its functionality. The malware evolves continuously, employing advanced obfuscation to bypass detection.
Reports also highlight additional tools often deployed alongside ransomware. These include software for disabling security defenses, stealing credentials, and maintaining stealthy access. For instance, attackers have targeted cloud storage, exploiting Amazon S3 buckets using server-side encryption to render data inaccessible without their keys.
Threat actors also employ pressure tactics, such as deleting files after seven days, to coerce victims into paying ransoms. In parallel, phishing campaigns mimic trusted entities to overwhelm victims with emails. Attackers follow up with phone calls or messages, impersonating tech support to install remote access software. This allows them to spread malware undetected and access sensitive data.
Preventive Measures
To mitigate such risks, businesses should regularly update software, monitor network traffic, and implement robust security measures. Training employees on phishing awareness is crucial. Limiting access permissions and deploying endpoint detection tools also help protect systems from sophisticated threats.