Hackers Use PyBitmessage Library to Circumvent Antivirus and Network Security Measures

The AhnLab Security Intelligence Center (ASEC) has uncovered a sophisticated cyberattack campaign leveraging the PyBitmessage library to evade traditional antivirus and network security solutions.

This campaign involves the distribution of a new type of backdoor malware alongside a Monero coin miner, using advanced techniques to avoid detection and traceability.

P2P Communications Replace Conventional C2 Methods

Unlike typical backdoors that employ HTTP requests or direct IP connections to communicate with their command-and-control (C2) infrastructure, this malware instead utilizes the Bitmessage protocol via the PyBitmessage Python library.

Bitmessage is inherently designed for anonymous, decentralized communication and encrypts traffic end-to-end.

By integrating this protocol, threat actors are able to embed their malicious C2 commands within regular Bitmessage traffic, effectively disguising them among legitimate user messages.

This makes it exceptionally difficult for security products to differentiate between benign and malicious activity, significantly complicating detection, analysis, and response efforts.

Technical Analysis of Attack Chain and Payloads

The infection chain commences when a booby-trapped file executes, extracting and decrypting both the Monero coin miner and backdoor components from its own resource section using XOR operations.

The miner, notably known for exploiting Monero’s privacy-centric nature, is dropped alongside essential files config.json, WinRing0x64.sys, and idle_maintenance.exe into a temporary system directory.

The miner then surreptitiously hijacks system resources for cryptocurrency mining, generating illicit profits for the attackers.

Parallelly, the backdoor component initializes by deploying PyBitmessage on the victim machine, frequently downloading the library from either GitHub or a secondary file-sharing service, often with ties to Russia or Russian-speaking threat actors.

The backdoor operates by listening on a local port for incoming POST requests and utilizes PyInstaller-packaged files, which it extracts into a _%TEMP%\_MEI~~ directory.

Among these, the presence and manipulation of QtGui4.dll suggest deliberate attempts to obfuscate the malware’s presence.

Upon successful launch, the backdoor establishes persistence and awaits instructions from the attacker.

Received C2 messages encrypted and anonymized are frequently executed as PowerShell scripts, further complicating traceability due to their fileless execution.

The use of PowerShell as a payload executor also enables the threat actors to maintain control and flexibility in post-exploitation activities.

By blending their C2 traffic within legitimate Bitmessage streams and abusing the native capabilities of PyBitmessage, attackers are capitalizing on the protocol’s resistance to interception and tracing.

This is compounded by their distribution tactics, often masquerading malware as legitimate or cracked software via file-sharing platforms and torrent sites.

As the mechanism employs legitimate open-source tools combined with proprietary manipulations, forensic investigations and automated detection are significantly hampered.

According to the Report, ASEC underscores the critical importance of refraining from downloading software from untrusted sources, as well as practicing rigorous endpoint monitoring particularly for P2P-based communications.

Keeping security solutions and operating systems up to date remains an essential line of defense against emerging threats of this nature.

Indicators of Compromise (IOCs)

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates