A new polymorphic malware identified by a security researcher earlier this week remains undetected by most security tools. Xavier Mertens wrote about the malware in a SANS blog [post](https://isc.sans.edu/diary/32354) on October 8. At the time, there were only two detections of the malware on VirusTotal. Two days later, there are still only [two detections](https://www.virustotal.com/gui/file/7173e20e7ec217f6a1591f1fc9be6d0a4496d78615cc5ccdf7b9a3a37e3ecc3c).Polymorphic Malware Built on Python———————————–The malware, a Python remote access [trojan](https://cyble.com/trojan/ ‘trojan’) (RAT) uploaded to VirusTotal as ‘nirorat.py,’ got Mertens’ attention because of some function names in the code: self_modifying_wrapper(), decrypt_and_execute() and polymorph_code(). Polymorphic [malware](https://cyble.com/knowledge-hub/what-is-malware/ ‘malware’) is designed to mutate its appearance or signature files every time it executes, he said. ‘To be able to modify its code on the fly, the program must have access to its own source code,’ he wrote. ‘Many languages have this capability.’ In Python, the *inspect* module can add that capability, he added. In the malware he identified, Mertens said the self_modifying_wrapper() function ‘will grab a function code, XOR it with a random key then un-XOR it and execute it from memory’ to wrap critical code in a self-modifying layer. The malware also has the capability to obfuscate code with advanced variable renaming and junk code injection. He included code samples for the self_modifying_wrapper() and polymorph_code() functions.### Python RAT also Includes More Than 40 Attack CapabilitiesThe malware also has more than 40 attack and reconnaissance capabilities ‘and offers plenty of features to the Attacker,’ he said. Some of the functions and capabilities include network and host scanning, router hacking, testing default credentials, screen recording, payload delivery and execution, stolen [data](https://thecyberexpress.com/what-is-data/ ‘data’) transmission, lateral movement, and more. Among the bot commands are options for deploying the Xworm payload, running a keylogger and exporting the logs, encrypting the victim’s files, running a [cryptominer](https://cyble.com/cryptominer/ ‘cryptominer’), capturing screenshots and audio, running shell commands, uploading files to the victim PC, and searching and sending files from the PC.
Related Tags:
Obfuscated Files or Information: Junk Code Insertion
NAICS: 54 – Professional
Scientific
Technical Services
NAICS: 334 – Computer And Electronic Product Manufacturing
NAICS: 541 – Professional
Scientific
Technical Services
NAICS: 518 – Computing Infrastructure Providers
Data Processing
Web Hosting
Related Services
NAICS: 33 – Manufacturing – Metal
Electronics And Other
NAICS: 51 – Information
Ingress Tool Transfer
Obfuscated Files or Information
Associated Indicators:
null