New PWOBot Malware Mine for Bitcoin, Log Keystrokes

The Palo Alto Networks security researchers have discovered a new malware family, called PWOBot. The strain is coded in Python and it can execute a wide range of attacks via its modular architecture.

The PWOBot infections started cropping up at numerous European organizations during the past year. In fact, the investigation carried out by Palo Alto researchers brought to light attacks dating back as far as late 2013.

These are the following organizations which have faced a PWOBot infection by now: a Polish national research institution, a Polish shipping company, a large Polish retailer, a Polish information technology organization, a Danish building company, and a French optical equipment provider.

Considering the fact that all infections happened after employees of the above-menitoned companies downloaded files off a Polish file hosting service (chomikuj.pl), the experts concluded that PWOBot is distributed via a Polish file sharing service.

The compromised files were generic executables compiled via the PyInstaller package which takes basic Python code and packages it as a binary.

Palo Alto says that it has only seen PWOBot packed as Windows executables so far. However, Python is a platform-agnostic language, and PyInstaller can also generate binaries for Linux, Mac OS X, FreeBSD, Solaris, and AIX.

There are various types of PWOBot infections, and until today, the experts have observed twelve versions. The reason for the large number of different versions is the PWOBot’s modular architecture.

According to the security researchers, PWOBot modules which can download and execute other binaries, launch an HTTP server, log keystrokes, execute custom Python code, query remote URLs and return results, as well as mine for Bitcoin using the victim’s CPU or GPU.
The outgoing traffic is tunneled via Tor and it uses encryption to avoid detection by security products.

While it has historically been seen affecting Microsoft Windows platforms, since the underlying code is cross-platform, it can easily be ported over to the Linux and OSX operating systems,” claims Josh Grunzweig from Palo Alto. “That fact, coupled with a modular design, makes PWOBot a potentially significant threat.”

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.