Malware, Threat Intelligence, DevSecOps

PyStoreRAT malware spread via counterfeit developer tools

In this photo illustration, the homepage of the GitHub website seen on a computer screen through a magnifying glass.

Malicious GitHub repositories purporting to be open-source intelligence tools and developer utilities have been used to spread the nascent PyStoreRAT malware, SiliconANGLE reports.

Execution of the repositories which include highly convincing README files, AI-generated graphics, and simulated features downloads and runs PyStoreRAT as a remote HTML application file, a report from Morphisec showed.

Aside from obtaining host identity details, privilege levels, and other system information ahead of command-and-control server registration, PyStoreRAT also enables bypass of CrowdStrike Falcon and other security systems, while crafting an NVIDIA App SelfUpdate process-mimicking scheduled task for persistence.

Moreover, PyStoreRAT, which could be distributed via USB-based lateral movement, could also facilitate the delivery of MSI installers, Python archives, PowerShell scripts, DLLs, and other HTA files.

"PyStoreRAT represents a shift toward modular, script-based implants that can adapt to security controls and deliver multiple payload formats," said Morphisec researcher Yonatan Edri.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds