By rssfeeds-admin Although it currently scores only 2/64 on VirusTotal, its sophisticated use of Python’s introspection and runtime code transformation techniques makes it a high-risk threat for targeted environments.
Self-Modifying and Packing Mechanism
The RAT leverages the inspect module to retrieve its own source code at runtime. Within the self_modifying_wrapper() function, the malware serializes critical routines such as its main() payload by XOR-encoding the source bytes with a randomly generated key.
After the simulation of a compression/decompression cycle with zlib and marshal, the code is reconstructed in memory and executed via exec().
A log entry confirms successful execution or records any errors to debug.log. This self-modifying layer simulates a packer, ensuring that each run produces a unique binary signature.
Advanced Polymorphic Obfuscation Pipeline
Beyond packing, the RATs polymorph_code() implements an aggressive obfuscation pipeline. It first performs random variable renaming by mapping each identifier to a cipher of letters and digits.
It then injects a random number of junk snippets, such as unused functions, list comprehensions of zeroed lists, and randomized time.sleep() calls, and empty try/except blocks interspersed at arbitrary line positions.
Finally, function definitions are extracted, shuffled, and re-merged, further altering the code’s structure and thwarting static analysis. Each transformation writes status messages to debug.log.
The malware exposes a comprehensive suite of asynchronous routines for network reconnaissance, payload distribution, command execution, and data exfiltration. Its attack surface includes:
- Network propagation via
socket_network_scan(),scan_host(), andspread_to_network(), enabling lateral movement. - Brute force and exploit attempts such as
test_default_credentials()andtry_router_hack(). - Command and control functionality for executing shell commands (
execute()), file upload/download (upload(),download()), system information gathering (system_info()), archiving (archive()), and cryptomining simulation (mine()). - Surveillance through
screenshot(),record_screen_webcam(),audio(), andlisten(). - Staged payload deployment via
deliver_payload()andexecute_payload(). - Data theft and reporting with
get_phone_number(),send_stolen_data(), andreport_spreading_status().
An integrated Discord bot interface provides attacker commands with /commands listing over a dozen options, including /encrypt for file encryption and /xworm for dropping a secondary Xworm payload from an external URL.
Indicators of Compromise and Mitigation
| IoC Type | Value |
|---|---|
| Filename | nirorat.py |
| SHA256 | 7173e20e7ec217f6a1591f1fc9be6d0a4496d78615cc5ccdf7b9a3a37e3ecc3c |
| Logfile Marker | “[+] Self-modifying code executed”; “[+] Advanced polymorphic transformation applied” |
| Domain | example.com (default Xworm spread URL) |
Defenders should monitor Python processes for the dynamic invocation of inspect.getsource(), unexpected marshal.loads(), and frequent imports of zlib paired with random delays.
File integrity checks on Python scripts, combined with runtime behavioral analysis in sandboxed environments, are recommended to detect and mitigate this evolving polymorphic threat.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
The post Polymorphic Python Malware That Repeatedly Mutates Its Appearance at Every Execution appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.