Cybersecurity experts have identified a sophisticated campaign by North Korean state-sponsored hackers who are leveraging Python-based lures and social engineering tactics to breach highly secure networks.
The attackers employ a dual approach: meticulously crafted social engineering schemes combined with elegantly disguised Python code to gain initial access to target systems.
This versatile programming language has become a weapon of choice for DPRK operatives, allowing them to blend malicious functionality with legitimate-appearing applications.
.png
)
The threat actors have demonstrated remarkable success in penetrating organizations by disguising their attacks as innocent Python applications or coding challenges.
In a recent campaign, hackers distributed a seemingly innocuous “Python Challenge” presented as part of a job interview process.
This approach exploits the trust of developers and technical professionals who regularly work with code samples or participate in technical assessments during recruitment.
Elastic Security Labs researchers identified and analyzed this threat, uncovering the sophisticated techniques used by the attackers.
Their investigation revealed that the DPRK-affiliated groups have consistently evolved their tactics, employing long-term persona development and targeted narratives to make their social engineering more convincing.
These operations often begin with seemingly legitimate interactions before deploying the malicious Python code.
The malware’s execution flow begins when victims interact with what appears to be a harmless application.
.webp)
Behind the scenes, the code establishes connections to command and control servers, executes hidden commands via remote code execution (RCE), and employs various obfuscation techniques to evade detection.
The Python scripts are specifically designed to remain stealthy while maintaining effective control over infected machines.
Inside the Malicious Python Application
The malware masquerades as a “PasswordManager” application, containing a main script and two Python modules: Pyperclip and Pyrebase.
.webp)
While appearing legitimate at first glance, detailed analysis reveals hidden malicious functionality.
The init.py file within the Pyperclip module contains the core of the attack, with imports that raise immediate suspicion:-
import contextlib
import ctypes
import os
import platform
import subprocess
import sys
import time
import warnings
import requests
import datetime
import platform
import codecs
import base64
import tempfile
import subprocess
import osThe script contains a large base64-encoded blob assigned to the variable req_self, which when decoded reveals an entirely new self-contained Python script.
This obfuscated code uses ROT13 encoding to hide crucial elements, including the command and control server URL (decoded as “https://akamaitechnologies[.]online”).
The attackers deliberately disguise this as a legitimate Akamai service to avoid detection.
When executed, the malware first identifies the operating system, then writes its payload to a temporary directory before executing it with specific commands that vary between Windows and Unix-like systems.
This stealthy execution method ensures the malicious process runs independently from its parent, making it difficult to track or terminate.
The malware’s communication mechanism is particularly sophisticated. It establishes a connection to the remote server using encoded parameters, receives base64-encoded commands, decodes them, and executes them within the victim’s environment.
The script includes persistent retry mechanisms, ensuring it maintains communication with the command server even when initially unsuccessful.
Elastic researchers note that this attack is part of a broader campaign that includes other variants like “CovertCatch” and “KandyKorn,” which have targeted cryptocurrency developers and engineers.
The attack demonstrates how Python’s versatility becomes a double-edged sword – its accessibility and extensive library support make it an ideal tool for both legitimate developers and malicious actors seeking to infiltrate secure environments.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try 50 Request for Free
