PyFlash
PyFlash is a Trojan backdoor that the Turla hackers have used to target government officials and politicians with ties to the Armenian government recently. The PyFlash backdoor has been used in combination with NetFlash, a Trojan downloader that also seems to be a private hacking tool developed and used by the Turla group.
PyFlash serves the purpose of a secondary payload that the NetFlash Downloader makes sure to deploy to compromised systems. The propagation happens with the use of corrupted edited Adobe Flash Player update installers that are being hosted on Armenian websites compromised by the Turla hackers. This strategy allows the cybercriminals to limit the scope of their attack, as well as to make it more likely that their targets will trust the update package served by a website they browse regularly.
As the name of PyFlash suggests, it is coded in Python. The threat does not arrive in a compiled state and, instead, the NetFlash downloader will fetch the source code from the control server, alongside the 'py2exe' utility – a legitimate tool that converts Python scripts to Windows executables. By using this utility, the compromised PyFlash script will be launched on the damaged Windows machine.
Once initialized, PyFlash connects to another remote Command and Control server that will feed it commands. All network traffic between the control server and the infected machine is encrypted. The attackers are able to use the PyFlash implant to:
- Fetch and execute additional payloads from a provided URL.
- Execute Windows commands and send the result to the attacker's server.
- Program the PyFlash payload to be launched every 'X' minutes by abusing the task scheduling Windows service.
- Self-destruct.
This particular Turla campaign is impressive because of the 'watering hole' attack method it uses – the compromised Armenian websites that serve the fake Adobe Flash Player update are unlikely to raise any red flags if a user is not tech-savvy. The best way to defend networks from such attacks is to make sure that users are aware that they should not be downloading random software updates, even if they appear to come from a trustworthy source – such updates should only be fetched from the software vendor's official website. Furthermore, computers should be protected by a regularly updated anti-virus service.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.