Is your business connected to the Internet for any services? Do you shop online or purchase any products or services online? Are you on Facebook, Twitter, LinkedIn or any other social networking web sites? Do you have a high-end mobile phone and use chat applications such as WhatsApp? If so, cybersecurity is an issue about which you should be concerned.
If you think that you could never be a victim of an attack originating on any of these platforms, you should think twice, because cybercriminals are keenly tracking your identities and researching your shopping behavior, watching what you do online and, ultimately, profiling the very devices through which you are connected to cyberspace. Since you are part of the bigger, interconnected network, you are a potential target of a cyberattack.
If you are thinking to yourself, “What do I possess that will interest a cybercriminal?,” think of it this way: You are targeted, not to steal anything specific, but to possibly build in-roads to a bigger trusted network to which you belong. Once your systems and networks are compromised, it may appear that the cyberattack has originated from your organization while it was actually performed by an invisible cyberattacker from your IP addresses using your system signatures.
Even if your interconnected networks are protected through a firewall or other security measures, a persistent hacker could still closely footprint your activities, e.g., when have you scheduled your next maintenance of systems and networks, the security behavior of users, or the tools and technologies deployed in your organization. In many cases, cybercriminals operate in stealth mode for a period of time before attacking. Once they are inside a network, they quickly adapt to the network behavior, making it difficult for the existing intrusion detection system to flag them. People are the weakest link that is targeted by a cyberattacker.
Essentially, every organization in cyberspace has to rethink with whom and how they are connected in cyberspace and prepare for any threats that can appear because of these interconnections. It is possible that something is already in place; it may just need strengthening through anti-hacking measures such as user awareness, firewalls, patch management, incident response, authentication, authorization and other controls.
We have discovered a malware family named ‘PWOBot’ that is fairly unique because it is written entirely in Python, and compiled via PyInstaller to generate a Microsoft Windows executable. The malware has been witnessed affecting a number of Europe-based organizations, particularly in Poland. Additionally, the malware is delivered via a popular Polish file-sharing web service.
The malware itself provides a wealth of functionality, including the ability to download and execute files, execute Python code, log keystrokes, spawn a HTTP server, and mine Bitcoins via the victim’s CPUs and GPUs.
There are at least 12 variants of PWOBot, and the malware has been observed in attacks dating back to late 2013. More recent attacks have been observed affecting organizations between mid-to-late 2015.
Targeting
Over the past year, we have witnessed PWOBot affecting the following organizations:
Polish national research institution
Polish shipping company
Large Polish retailer
Polish information technology organization
Danish building company
French optical equipment provider
The majority of the PWOBot samples were downloaded from chomikuj.pl, which is a popular Polish file sharing web service. The following unique URLs have been observed providing copies of PWOBot:
Additionally, in one instance the malware was downloaded from http://108.61.167.105/favicon%5B.%5Dpng. This IP address is associated with the tracking.huijang[.]com domain, which was also used by a number of PWOBot samples.
The following filenames were observed being used to deliver PWOBot:
Fizjologia sportu. Krtkie wykady.exe [Physiology of sports. Short lectures.exe]
As we can see from the filenames used, a number of the PWOBot samples purport to be various software utility programs. In some instances, the Polish language is used for what appears to be a more targeted filename.
It is unclear how this malware was originally delivered to the end-user. Inferences can be made based on the filenames witnessed, as this malware may have been delivered to end-users who believed they were downloading other software. Alternatively, it’s possible that phishing attacks were used in order to entice victims into downloading these files.
Malware Analysis
As originally mentioned, PWOBot is written completely in Python. The attackers leverage PyInstaller to convert this Python code into a Microsoft Windows executable. However, as Python is being used, it can easily be ported to other operating systems, such as Linux or OSX.
Upon initial execution, PWOBot will first uninstall previous versions of PWOBot should they be found. It will query Run registry keys searching for instances of previous versions. The majority of versions use a format of ‘pwo[VERSION]’ for the Run registry key, where [VERSION] is the version number of PWOBot.
Figure 1 PWOBot uninstalling previous versions
After the previous versions are uninstalled, PWOBot will install itself and create a copy of its executable in the following location:
%HOMEPATH%/pwo[VERSION]
It will then set the following registry key to point to this newly copied executable:
If this is the first time the malware is run, PWOBot will execute the newly copied file in a new process.
After installation completes, PWOBot will hook various keyboard and mouse events, which will be used for subsequent keylogging activities. PWOBot is written in a modular fashion, allowing the attacker to include various modules during runtime. Based on the number of samples currently identified, the following services and their accompanying descriptions have been observed being included with PWOBot:
PWOLauncher : Download/execute file, or execute local file
PWOHTTPD : Spawn a HTTP server on the victim machine
PWOKeyLogger : Log keystrokes on the victim machine
PWOMiner : Mine bitcoins using the victim CPU/GPU
PWOPyExec : Execute Python code
PWOQuery : Query remote URL and return results
PWOBot also is equipped with two configuration files, one of which specifies various settings the malware should use, while another specifies what remote servers PWOBot should connect to during execution.
Figure 2 PWOBot settings configuration
Figure 3 PWOBot remote server configuration
As is visible in the settings configuration (Figure 2), PWOBot includes various windows executables that are included when the attackers compile the code using PyInstaller. These executables are used to perform Bitcoin mining and to-proxy requests via Tor. The Bitcoin miner is a compiled version of minerd and cgminer. These files are used for CPU and GPU Bitcoin mining respectively.
PWOBot also makes use of Tor to tunnel all traffic to the attacker’s remote server(s). While this provides both encryption and anonymity, it also should raise alerts to an organization’s network administrators if viewed, as such traffic likely violates said organization’s policies.
PWOBot uses a Python dictionary as it’s network protocol. Every specified period of time PWOBot will send a notification message to the remote server. An example of this notification can be seen below:
Enumerations are configured to represent the various number encountered in the previous example. Once replaced with their respective enumeration, we see a more complete picture of what data is being sent.
After notifications are sent, the attacker may opt to provide a command instructing PWOBot to perform one of the previously defined services. Results from said actions are then uploaded to the attacker using the same format.
In total, 12 variants of PWOBot appear to exist, based on the lastest versions identified by Palo Alto Networks Unit 42. Of the 12 versions, we have witnessed versions five, six, seven, nine, 10, and 12 in the wild. Changes between versions appear minimal, and are likely performance improvements.
Conclusion
PWOBot is interesting as a malware family because it is written entirely in Python. While it has historically been seen affecting Microsoft Windows platforms, since the underlying code is cross-platform, it can easily be ported over to the Linux and OSX operating systems. That fact, coupled with a modular design, makes PWOBot a potentially significant threat.
This malware family has not previously publicly disclosed. It has currently been witnessed affecting a number of European organizations.
Palo Alto Networks customers are protected from this threat in the following ways:
All PWOBot samples are properly categorized as malicious by the WildFire service.
Domains related to the PWOBot threat have been appropriately categorized as malicious.
AutoFocus customers may use the PWOBot tag to monitor this threat.
For a list of SHA256 hashes of PWOBot, please refer to the following file.
Panorama provides streamlined management, great visibility and excellent rule management across distributed networks of next-generation firewalls.
When deploying their network security management solutions, most customers deploy them in a way that is optimized for their current situation without consideration of future company or traffic growth. It is, however, critically important to plan a Panorama deployment strategically to optimize processing speeds and logging capacity/retention, as well as availability.
For example, deploying Panorama as a Virtual Machine (VM) makes a lot of sense for smaller companies who don’t have to manage too many logs or firewalls. However, adding just one or two more firewalls to your distributed network, may result in the VM servers being overloaded with the number of logs being generated. A small step to add either a dedicated management appliance or a log collector can ensure that log ingestion and retention won’t reach limits, and processing speeds won’t get impacted.
Thanks to the flexible deployment options of Panorama, you can ensure you maximize the performance of your network security management solution by adding dedicated management appliances and log collectors, or deploying Panorama in High Availability (HA) pairs.
Learn more about Panorama by downloading the datasheet.
Thanks for reading my series on maximizing your Panorama deployment. If you have additional questions or suggestions for future topics, leave a comment for me below.
