New remote access trojan impersonating Cortana is targeting Windows PCs
Windows PCs are currently under attack from a new Python-based malware that has previously gone undetected which can steal passwords and other sensitive data from victim’s browsers.
According to the the threat analytics company Securonix (opens in new tab), this malware is a remote access trojan (RAT) dubbed PY#RATION. It’s currently being spread through a phishing campaign that uses password-protected ZIP files attached to emails that include two .lnk files disguised as images depicting the front and back of a driver’s license.
What sets PY#RATION apart from other Windows malware strains is the fact that it uses the WebSocket protocol to communicate with a command and control (C&C) server where data stolen from infected PCs is sent according to BleepingComputer (opens in new tab).
Although new research about this malware has just come to light, researchers at Securonix note that it’s currently being used in attacks and they’ve observed multiple versions of PY#RATION since it launched back in August of last year.
When launched, the two shortcuts contained in the ZIP files execute malicious code in the background while unsuspecting users are looking at the driver’s license images. This code is used to contact the attacker-controlled C&C server and download two text (.txt) files that are then renamed to BAT (.bat) files.
However, the malware also creates “Cortana” and “Cortana/Setup” directories in a victim’s temporary folder. Other executable files are then downloaded, unpacked and run from this location.
PY#RATION is able to establish persistence or a foothold on an infected Windows PC by adding a batch file called “CortanaAssist.bat” in a user’s startup directory. This makes the malware harder to detect as infected users might think it’s a legitimate Windows system file instead of a virus hiding in plain sight.
Although Microsoft’s virtual assistant isn’t nearly as popular as it once was, it’s still included in both Windows 10 and Windows 11. However, in the latest version of Windows, Cortana is no longer pinned to the taskbar. Fortunately, you can also uninstall Cortana if you think Microsoft’s virtual assistant is too invasive.
Stealing browser and clipboard data
The latest version of PY#RATION (1.6.0) contains a number of features to make it easier for hackers to steal data from infected PCs.
For instance, the malware can transfer files to and from a C&C server, record keystrokes, detect if an infected machine is running antivirus software, steal clipboard data and extract both passwords and cookies from web browsers. All of this stolen data can then be used to commit fraud or even identity theft.
Besides stealing data from Google Chrome, Brave, Opera and Microsoft Edge, PY#RATION can also steal info from the best cryptocurrency wallets as well as user and system data from an infected PC.
How to stay safe from Windows malware
Securonix points out that since English is the main language used throughout PY#RATION and the lure images used in this campaign are of a UK driver’s license, the malware is likely being used to target Windows users in the UK or North America.
To stay safe from this and other malware, you should always avoid opening email attachments from unknown senders. While the files inside might seem innocent at first, there could be something malicious going on in the background as is the case here.
Installing one of the best antivirus software solutions can help prevent malware from infecting your PC and many of these programs also feature additional protections against phishing. As for keeping your passwords and other sensitive data secure, you should use one of the best password managers as opposed to storing your passwords in your browser. This way, it will be more difficult for hackers to get their hands on them even if they do manage to infect your computer with malware.
Now that Securonix has shined a light on PY#RATION, we’ll likely find out even more about this new Windows malware including details on the hackers using it in their attacks.