By Matthew Broersma
IT security researchers have discovered an unusual family of malicious code written entirely in the Python programming language, making it easy to port to different operating systems.
The malware uses a modular design that allows it to carry out a selection of different attacks, including executing files, logging keystrokes, mining bitcoins using the affected system’s CPU resources, executing arbitrary Python code and communicating with a remote server, according to Palo Alto Networks.
European organizations targeted
At least 12 variants of the “PWOBot” malware are known to exist, with six having been spotted on the open Internet, Palo Alto said.
It found the malware has been involved in attacks dating back at least to the end of 2013 and has targeted a number of European organizations, particularly in Poland. During the latter half of 2015, targets in the country included a national research institution, a shipping company, a large retailer and an IT organization, as well as a construction company in Denmark and an optical equipment provider in France, Palo Alto said.
“While it has historically been seen affecting Microsoft Windows platforms, since the underlying code is cross-platform, it can easily be ported over to the Linux and OSX operating systems,” the firm said in an advisory. “That fact, coupled with a modular design, makes PWOBot a potentially significant threat.”
The malware family hasn’t previously been disclosed to the public, Palo Alto said.
It isn’t clear how the malware initially made its way onto affected systems, the firm said—it could have been via an email-borne phishing attack or via a user download. The malware disguises itself as various Windows utility programs and has been spotted on popular Polish file-sharing site chomikuj.pl, Palo Alto said.
The company noted that PWOBot uses the Tor network to communicate with remote servers, which could help organizations spot it on their systems.
“While (Tor) provides both encryption and anonymity, it also should raise alerts to an organization’s network administrators if viewed, as such traffic likely violates said organization’s policies,” Palo Alto said.