Python-Based Malware Infects European Companies

Matthew Broersma,
python snake programming language danger © fivespots Shutterstock

The use of Python means the PWOBot malware could easily be ported to different operating systems, says Palo Alto Networks

IT security researchers have discovered an unusual family of malicious code written entirely in the Python programming language, making it easy to port to different operating systems.

The malware uses a modular design that allows it to carry out a selection of different attacks, including executing files, logging keystrokes, mining bitcoins using the affected system’s CPU resources, executing arbitrary Python code and communicating with a remote server, according to Palo Alto Networks.

European organisations targeted

Hacker, programmer, code, laptop © SP-Photo, Shutterstock 2014

At least 12 variants of the “PWOBot” malware are known to exist, with six having been spotted on the open Internet, Palo Alto said.

It found the malware has been involved in attacks dating back at least to the end of 2013 and has targeted a number of European organisations, particularly in Poland. During the latter half of 2015 targets in the country included a national research institution, a shipping company, a large retailer and an IT organisation, as well as a construction company in Denmark and an optical equipment provider in France, Palo Alto said.

“While it has historically been seen affecting Microsoft Windows platforms, since the underlying code is cross-platform, it can easily be ported over to the Linux and OSX operating systems,” the firm said in an advisory. “That fact, coupled with a modular design, makes PWOBot a potentially significant threat.”

The malware family hasn’t previously been disclosed to the public, Palo Alto said.

Disguised downloads

It isn’t clear how the malware initially made its way onto affected systems, the firm said – it could have been via an email-borne phishing attack or via a user download. The malware disguises itself as various Windows utility programs and has been spotted on popular Polish file-sharing site chomikuj.pl, Palo Alto said.

The company noted that PWOBot uses the Tor network to communicate with remote servers, which could help organisations spot it on their systems.

“While (Tor) provides both encryption and anonymity, it also should raise alerts to an organisation’s network administrators if viewed, as such traffic likely violates said organisation’s policies,” Palo Alto said.

Are you a security pro? Try our quiz!