Examining Python Malware And AV Detection

What does Python malware look like?

It comes in many flavors

Python malware has recently taken off because of its ease of development and deployment. Due to it's simple nature, it's easy to do many different things. The example below is what could be considered ransomware, it targets an arbitrary folder and turns it into an encrypted zip. It also leaves the old folder behind but real ransomware won't do this.

When we turn the Python PE file into Python byte code using pyinstxtractor.py then examine that byte code with uncompyle6, we can see a few different instructions off the bat that should indicate this could be ransomware. Things like AES, encryption, zipping files, and setting a password all should raise flags in modern AV.

What does detection for this look like?

But, as illustrated below, this file isn't flagged for detection by a majority of AV. Defender correctly categorizes this as a Win32/Wacapew.C!ml which indicates that this program might block access to a users folder.

 

So why hasn't a lot modern AV caught up with this? Evidently AV like Sophos can spot Python malware, as indicated by this VirusTotal sample for SeaDuke, so is their threshold just too low? When downloading this on a Defender protected system using Brave, i.e. not using a Defender protected browser, Defender still performs a code analysis on the file and correctly identifies it as malicious.

This is something that Sophos business didn't even do or flag, let alone their Home product. Looking at Sophos Home features, they analyze for known threats using signature detection and offer predictive AI threat detection to try and identify new and novel threats in the wild. You have to pay for things like advanced real time protection or ransomware protection, something every vendor should be offering on their base product, and you have to wonder if this is part of the racket of incentivizing people to pay to upgrade to something that'll actually protect you. 

To really emphasize how much Sophos is letting down its user base, I wrote a quick YARA rule based on what I saw in the hex analysis of one of the PE's I had made.

Utilizing that YARA rule is a Python script to analyze a PE file in my downloads, detect if it is a Python PE file based off what is in the compiled binary, then convert it to Python byte code and analyze that for elements that'd indicate if it was doing something malicious.

I wrote this in a couple hours. And Sophos doesn't seem to want to roll this out to their paying users even.