Python Malware

This tutorial demonstrates some proof of concepts for creating malware using Python and PyInstaller.  In this video tutorial we demonstrated how to compile a Python script as a Portable Executable(PE) using PyInstaller.  Now lets demonstrate some quick proof of concept code to do some malicious actions on a Windows host.

Coding the Malware:

One of the most common things you’ll find with malware is it wanting to gain persistence on the victim.  There are loads of ways to achieve persistence on Windows, one of the more common being to modify the following registry key: “Software\Microsoft\Windows\CurrentVersion\Run”.  Below is a quick screenshot of the Python code to copy the program to the %TEMP% directory and then make a registry modification so this code will execute when a user logs into the computer:

Now that we have copied this file over to the %TEMP% directory, and setup persistence we can execute the next portion of the code, the reverse shell.  I leveraged a Python reverse shell released by TrustedSec and made one modification — Base64 encode the network traffic:

Now when this program executes it will open up a reverse shell back to the “attacker” which in this case is a hard coded IP in the script, but it could easily be domain, or maybe something in the Amazon cloud.  Below is a quick screen shot demonstrating the program executing on a Windows host and connecting back to the attacker.  You can notice the network traffic is base64 encoded:

Here is the full code: