Polymorphic Python Malware That Repeatedly Mutates Its Appearance at Every Execution

A newly identified Python-based remote access trojan (RAT) uploaded to VirusTotal under the filename nirorat.py (SHA256: 7173e20e7ec217f6a1591f1fc9be6d0a4496d78615cc5ccdf7b9a3a37e3ecc3c) exhibits advanced polymorphic and self-modifying capabilities designed to evade signature-based detection.

Although it currently scores only 2/64 on VirusTotal, its sophisticated use of Python’s introspection and runtime code transformation techniques makes it a high-risk threat for targeted environments.

Self-Modifying and Packing Mechanism

The RAT leverages the inspect module to retrieve its own source code at runtime. Within the self_modifying_wrapper() function, the malware serializes critical routines such as its main() payload by XOR-encoding the source bytes with a randomly generated key.

After the simulation of a compression/decompression cycle with zlib and marshal, the code is reconstructed in memory and executed via exec().

A log entry confirms successful execution or records any errors to debug.log. This self-modifying layer simulates a packer, ensuring that each run produces a unique binary signature.

Advanced Polymorphic Obfuscation Pipeline

Beyond packing, the RATs polymorph_code() implements an aggressive obfuscation pipeline. It first performs random variable renaming by mapping each identifier to a cipher of letters and digits.

It then injects a random number of junk snippets, such as unused functions, list comprehensions of zeroed lists, and randomized time.sleep() calls, and empty try/except blocks interspersed at arbitrary line positions.

Finally, function definitions are extracted, shuffled, and re-merged, further altering the code’s structure and thwarting static analysis. Each transformation writes status messages to debug.log.

The malware exposes a comprehensive suite of asynchronous routines for network reconnaissance, payload distribution, command execution, and data exfiltration. Its attack surface includes:

• Network propagation via socket_network_scan(), scan_host(), and spread_to_network(), enabling lateral movement.
• Brute force and exploit attempts such as test_default_credentials() and try_router_hack().
• Command and control functionality for executing shell commands (execute()), file upload/download (upload(), download()), system information gathering (system_info()), archiving (archive()), and cryptomining simulation (mine()).
• Surveillance through screenshot(), record_screen_webcam(), audio(), and listen().
• Staged payload deployment via deliver_payload() and execute_payload().
• Data theft and reporting with get_phone_number(), send_stolen_data(), and report_spreading_status().

An integrated Discord bot interface provides attacker commands with /commands listing over a dozen options, including /encrypt for file encryption and /xworm for dropping a secondary Xworm payload from an external URL.

Indicators of Compromise and Mitigation

IoC Type	Value
Filename	nirorat.py
SHA256	7173e20e7ec217f6a1591f1fc9be6d0a4496d78615cc5ccdf7b9a3a37e3ecc3c
Logfile Marker	“[+] Self-modifying code executed”; “[+] Advanced polymorphic transformation applied”
Domain	example.com (default Xworm spread URL)

Defenders should monitor Python processes for the dynamic invocation of inspect.getsource(), unexpected marshal.loads(), and frequent imports of zlib paired with random delays.

File integrity checks on Python scripts, combined with runtime behavioral analysis in sandboxed environments, are recommended to detect and mitigate this evolving polymorphic threat.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post Polymorphic Python Malware That Repeatedly Mutates Its Appearance at Every Execution appeared first on Cyber Security News.