This post was authored by Warren Mercer and Vitor Ventura
Introduction
Talos has identified two different versions of a RAT, otherwise known as a remote access trojan, that has been written entirely in Python and is wrapped into a standalone executable. The RAT is impacting users of a Brazilian public sector management school.
The samples of two different versions of this RAT, both versions (3.0 and 4.0 according to the information within the samples analyzed) were written using Python and packed into an executable using a common tool called py2exe. The malware main script bytecode is stored in a portable executable (PE) section called PYTHONSCRIPT, while the Python DLL is stored in a section called PYTHON27.DLL. All the remaining modules' bytecode is compressed and stored in the executable overlay.
Both versions have all the usual RAT capabilities, however, during our investigation it became clear that version 4.0 (the latest) is a stripped-down version, where some features were removed, as explained later, to be part of a targeted campaign.
The target of such campaign are the users of INESAP - Instituto Nacional Escola Superior da Administração Pública, which is a Brazilian public sector management school that also does consulting work.
The target of such campaign are the users of INESAP - Instituto Nacional Escola Superior da Administração Pública, which is a Brazilian public sector management school that also does consulting work.