SC Media reports an attack involving a new Python backdoor believed to include artificial intelligence-based code has been launched by an affiliate of the RansomHub ransomware-as-a-service operation last quarter.
GuidePoint Security found that the Initial access facilitated by suspected SocGholish malware was followed by the deployment of the backdoor, installation of Python and needed libraries within the targeted "connecteddevicesplatform" folder, establishment of the Python proxy script, and the exploitation of Windows scheduled tasks for persistence.
After using TCP connections to link to hardcoded IP addresses, the backdoor proceeded with lateral movement through a SOCKS5-like tunnel, said researchers.
Such findings come after RansomHub was reported by ESET to be the most active RaaS operation during the second half of 2024 after compromising almost 500 organizations in less than a year.
