Python-Based Malware Powers RansomHub Ransomware to Exploit Network Flaws

January 16, 2025 – Published on The Hacker News

Cybersecurity researchers have detailed an attack that involved a threat actor utilizing a Python-based backdoor to maintain persistent access to compromised endpoints and then leveraged this access to deploy the RansomHub ransomware throughout the target network.

According to GuidePoint Security, initial access is said to have been facilitated by means of a JavaScript malware downloaded named SocGholish (aka FakeUpdates), which is known to be distributed via drive-by campaigns that trick unsuspecting users into downloading bogus web browser updates.

Such attacks commonly involve the use of legitimate-but-infected websites that victims are redirected to from search engine results using black hat Search Engine Optimization (SEO) techniques. Upon execution, SocGholish establishes contact with an attacker-controlled server to retrieve secondary payloads.

As recently as last year, SocGholish campaigns have targeted WordPress sites relying on outdated versions of popular SEO plugins such as Yoast (CVE-2024-4984, CVSS score: 6.4) and Rank Math PRO (CVE-2024-3665, CVSS score: 6.4) for initial access.

In the incident investigated by GuidePoint Security, the Python backdoor was found to be dropped about 20 minutes after the initial infection via SocGholish. The threat actor then proceeded to deliver the backdoor to other machines located in the same network during lateral movement via RDP sessions.

Read More HERE.