Malicious GitHub repositories purporting to be open-source intelligence tools and developer utilities have been used to spread the nascent PyStoreRAT malware, SiliconANGLE reports.
Execution of the repositories which include highly convincing README files, AI-generated graphics, and simulated features downloads and runs PyStoreRAT as a remote HTML application file, a report from Morphisec showed.
Aside from obtaining host identity details, privilege levels, and other system information ahead of command-and-control server registration, PyStoreRAT also enables bypass of CrowdStrike Falcon and other security systems, while crafting an NVIDIA App SelfUpdate process-mimicking scheduled task for persistence.
Moreover, PyStoreRAT, which could be distributed via USB-based lateral movement, could also facilitate the delivery of MSI installers, Python archives, PowerShell scripts, DLLs, and other HTA files.
"PyStoreRAT represents a shift toward modular, script-based implants that can adapt to security controls and deliver multiple payload formats," said Morphisec researcher Yonatan Edri.
Execution of the repositories which include highly convincing README files, AI-generated graphics, and simulated features downloads and runs PyStoreRAT as a remote HTML application file, a report from Morphisec showed.
Aside from obtaining host identity details, privilege levels, and other system information ahead of command-and-control server registration, PyStoreRAT also enables bypass of CrowdStrike Falcon and other security systems, while crafting an NVIDIA App SelfUpdate process-mimicking scheduled task for persistence.
Moreover, PyStoreRAT, which could be distributed via USB-based lateral movement, could also facilitate the delivery of MSI installers, Python archives, PowerShell scripts, DLLs, and other HTA files.
"PyStoreRAT represents a shift toward modular, script-based implants that can adapt to security controls and deliver multiple payload formats," said Morphisec researcher Yonatan Edri.




