Dangerous Password Campaign Targets Desktops With Python

Researchers have found a new malware campaign from the Dangerous Password attack group against desktops. The threat actors have caught the malicious campaign deploying Python and Node.js malware on Linux, Windows, and Mac devices.

Dangerous Password Campaign Targets Desktops With Python, Node.js Malware

Dangerous Password Running Active Malware Campaigns Against Desktops

According to JPCERT/CC, the notorious DangerousPassword attack group is running active campaigns against all major desktop systems – Windows, Mac, and Linux. Specifically, the malicious campaign targets these desktops with Python and Node.js malware.

In brief, the attack flow begins by tricking the user into downloading and executing a malicious file, “builder.py,” in the Python module for handling QR codes. Upon reaching the target device, the Python malware gathers system information, transmits it to the C2, and proceeds or modifies the attack flow accordingly for the respective OS.

On Windows, the malware downloads one or more executable MSI files from an external source while communicating with C2. One of these MSI files gathers the device’s information, whereas the other MSI file downloads a DLL file (devobj.dll) and sideloads it to the rdpclip.exe (a standard Windows program) to execute the malware.

On macOS and Linux systems, after the Python malware reaches the devices, the embedded BASE64-encoded strings decode and execute as a Python file. After transmitting system details to the C2, the malware downloads the PythonHTTPBackdoor.

In some cases, the researchers also noticed the attack infecting the devices with another malware, JokerSpy. Besides the Python malware, the JPCERT/CC also observed the involvement of “route.js” and “request.js” malicious files. The Node.js malware also follows a similar attack flow to the Python counterpart, executing the attack sneakily.

The researchers have shared a detailed technical analysis of the malware campaign in their advisory. DangerousPassword, aka “CryptoMimic” and “SnatchCrypto,” is a known malware that has been actively running malicious campaigns since 2019. Despite being known for years, the malware’s persistent success indicates its grip on executing stealthy attacks. The key to preventing such attacks is to avoid interacting with URLs, files, and attachments from unknown sources.
Attribution link