244. Adversaries Abuse Python to Deliver Commercial Malware
Hello everyone! We all are a bit tired of PowerShell. Even adversaries. So today we'll look how they misuse another popular command and scripting interpreter - Python (T1059.006) . According to this report , the adversary used AI-themed lures to trick a victim to install ScreenConnect . Next the threat actors run a malicious BAT file, which, among other things, executed a renamed pythonw.exe to run a base64-encoded command: "pw.exe" -c "import base64;exec(base64.b64decode('aW1wb3J0IHl6aXJpcyY2F...'))" In general, nothing new, right? Base64 again. But why not to use it for hunting: event_type: "processcreatewin" AND proc_file_originalfilename: "pythonw.exe" AND cmdline: "base64.b64decode" See you tomorrow!