14 DAY TRIAL // Security experts from Palo Alto Networks have discovered PWOBot, a new malware family coded in Python that can execute a broad range of attacks via its modular architecture.
PWOBot infections started cropping up at multiple European organizations during mid-to-late 2015. The subsequent investigation carried out by Palo Alto researchers also brought to light attacks dating back as far as late 2013.
Until now, only the following organizations have faced a PWOBot infection: a Polish national research institution, a Polish shipping company, a large Polish retailer, a Polish information technology organization, a Danish building company, and a French optical equipment provider.
PWOBot distributed via a Polish file sharing service
All infections happened after employees of these companies downloaded files off a Polish file hosting service (chomikuj.pl).
The malicious files were generic executables compiled via the PyInstaller package that takes basic Python code and packages it as a binary.
Until now, Palo Alto says it has only seen PWOBot packed as Windows executables, but Python is a platform-agnostic language, and PyInstaller can also generate binaries for Linux, Mac OS X, FreeBSD, Solaris, and AIX.
PWOBot is modular, can carry out a broad range of attacks
Not all PWOBot infections were of the same kind, and researchers observed twelve different versions. PWOBot's modular architecture is the reason for this large number of different versions.
Researchers say they discovered PWOBot modules that can download and execute other binaries, launch an HTTP server, log keystrokes, execute custom Python code, query remote URLs and return results, and also mine for Bitcoin using the victim's CPU or GPU.
All outgoing traffic is tunneled via TOR and uses encryption to avoid detection by security products.
"While it has historically been seen affecting Microsoft Windows platforms, since the underlying code is cross-platform, it can easily be ported over to the Linux and OSX operating systems," Palo Alto's Josh Grunzweig explains. "That fact, coupled with a modular design, makes PWOBot a potentially significant threat."