A sophisticated Python-based backdoor, potentially developed using AI, has been identified as a critical tool for RansomHub affiliates to infiltrate and maintain access to compromised networks. The discovery, made by Andrew Nelson, Principal Digital Forensics and Incident Response (DFIR) Consultant at GuidePoint Security, reveals new tactics being used by ransomware gangs.
A Lucrative Model
RansomHub, a Ransomware-as-a-Service (RaaS) operation that debuted in February 2024, has rapidly gained notoriety in the cybercrime ecosystem. Known for its generous affiliate payment structure and multi-platform capabilities, the group is a formidable threat to entities worldwide.
RansomHub offers a generous 90/10 payment split, allowing affiliates to retain a whopping 90% of ransom payments—quite a lot more than its competitors. Affiliates leverage ransomware developed in Golang and C++, which supports platforms including Windows, Linux, and ESXi, and utilizes robust encryption algorithms such as AES256, ChaCha20, and XChaCha20.
Breaking Down the Threat
The backdoor, deployed via Remote Desktop Protocol (RDP) lateral movement, allows malefactors to entrench themselves within a victim’s network and facilitates the deployment of RansomHub encryptors across compromised systems. The tool is polished, functional, and heavily obfuscated using techniques from services like PyObfuscate[.]com to avoid detection.
GuidePoint Security’s review of the backdoor identified unique indicators of compromise, including:
- Obfuscated filenames and scheduled task names.
- Command-and-control (C2) addresses.
- Precise use of the SOCKS5 protocol to establish persistent, tunneled connections.
AI-Driven Code Excellence
GuidePoint’s analysis suggests that the malware’s quality points to AI-assisted development. The Python code is structured with clearly defined classes, descriptive variable names, and comprehensive error handling, characteristics often found in AI-generated code. Despite obfuscation efforts, the code remains highly readable and testable once de-obfuscated, indicating the skill and resources behind its creation.
The Attack Lifecycle
The attack begins with initial access facilitated by SocGholish (FakeUpdate) malware. Once inside, the malicious actors deploy the Python backdoor within minutes, using it to escalate privileges and move laterally across the network. Key steps in the deployment process include:
- Installing Python and necessary libraries.
- Setting up a reverse proxy script.
- Establishing persistence through Windows scheduled tasks.
The backdoor functions as a reverse proxy, connecting to hardcoded C2 addresses and using a SOCKS5-like tunnel for lateral movement. Network traffic analysis confirms its ability to proxy traffic through victim systems, providing attackers with stealthy access to the broader network.
Evolving Malware Characteristics
The latest version of the Python-based backdoor features significant updates, including:
- Hardcoded C2 variables instead of passing them as arguments.
- Enhanced obfuscation methods to evade detection.
- A refined tunneling mechanism for TCP traffic, though it remains limited to IPv4 and does not support IPv6.
GuidePoint Security identified 18 active IP addresses associated with the C2 infrastructure and has made these available via a collaborative GitHub feed.
The Broader Implications
This development highlights the growing trend of ransomware groups leveraging AI and advanced scripting to refine their tools. RansomHub’s affiliates demonstrate a high level of sophistication, from social engineering during initial access to maintaining persistence with bespoke malware.
For business, this highlights the need for stronger defenses, including:
- Continuous monitoring for obfuscated scripts and unusual C2 traffic.
- Employee training to counter social engineering attempts.
- Proactive use of threat intelligence feeds to identify known indicators of compromise.
The discovery of this backdoor cements RansomHub’s reputation as a major threat in the ransomware ecosystem. Its combination of AI-driven development, advanced obfuscation, and functionality makes it a potent weapon for affiliates.
As ransomware groups evolve their tactics, security practitioners need to be alert, using real-time intelligence and adaptive defenses to counter this scourge. Updates on associated C2 addresses and additional findings are available on GuidePoint Security’s GitHub feed for community collaboration.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.