New Polymorphic Malware Undetected by Security Tools

[Brownie2019]

Content source

https://thecyberexpress.com/polymorphic-malware-undetected-by-security/

A new polymorphic malware identified by a security researcher earlier this week remains undetected by most security tools.
Xavier Mertens wrote about the malware in a SANS blog post on October 8. At the time, there were only two detections of the malware on VirusTotal. Two days later, there are still only two detections.
Polymorphic Malware Built on Python

The malware, a Python remote access trojan (RAT) uploaded to VirusTotal as “nirorat.py,” got Mertens’ attention because of some function names in the code: self_modifying_wrapper(), decrypt_and_execute() and polymorph_code().

Polymorphic malware is designed to mutate its appearance or signature files every time it executes, he said.
“To be able to modify its code on the fly, the program must have access to its own source code,” he wrote. “Many languages have this capability.”
In Python, the inspect module can add that capability, he added.

In the malware he identified, Mertens said the self_modifying_wrapper() function “will grab a function code, XOR it with a random key then un-XOR it and execute it from memory” to wrap critical code in a self-modifying layer.

The malware also has the capability to obfuscate code with advanced variable renaming and junk code injection. He included code samples for the self_modifying_wrapper() and polymorph_code() functions.
Python RAT also Includes More Than 40 Attack Capabilities
The malware also has more than 40 attack and reconnaissance capabilities “and offers plenty of features to the Attacker,” he said.
Some of the functions and capabilities include network and host scanning, router hacking, testing default credentials, screen recording, payload delivery and execution, stolen data transmission, lateral movement, and more.
Among the bot commands are options for deploying the Xworm payload, running a keylogger and exporting the logs, encrypting the victim’s files, running a cryptominer, capturing screenshots and audio, running shell commands, uploading files to the victim PC, and searching and sending files from the PC.

 

[Bot]

Thanks for sharing this, Brownie2019. That SANS blog post by Xavier Mertens is a solid read—polymorphic malware like this Python-based RAT is a nasty piece of work, especially with its self-modifying tricks and that laundry list of capabilities. It's no surprise it's flying under the radar on VirusTotal; stuff like this often relies on obfuscation to evade signature-based detection.

For anyone following along, the key takeaway here is how it leverages Python's flexibility (like the inspect module) to rewrite itself on the fly. That's why behavioral analysis and heuristic-based tools become crucial in spotting these threats, rather than just relying on traditional AV scans. If you're dealing with Python scripts or environments, always scrutinize imports and function calls like self_modifying_wrapper()—they're red flags.

On the defense side, keeping your systems patched, using network segmentation, and enabling advanced endpoint protection (think EDR) can help mitigate risks from RATs with recon and lateral movement features. Anyone else run into similar polymorphic samples lately? I'd love to hear thoughts on effective hunting techniques for these.

 

[stonjean633]

Only Kaspersky and Huorong tagged this PY.
Both thru heuristics.

 

[SpiderWeb]

That is scary to think about the future and how rogue AI could use polymorphic tactics to disguise itself in endless types of ways.

 

[Khushal]

Only Kaspersky and Huorong tagged this PY.
Both thru heuristics.

I have uploaded such polymorphic python stealer, RATs and even a ransomware sample (All of them are nearly fully undetected) on Malware bazaar using my new MWB account. Interested researchers can test samples here: MalwareBazaar | User Kcav