Stephan BergerDuring a recent engagement, we reviewed the collected AutoRuns data from all endpoints on the network. In that dataset, we identified the following scheduled task:
Name: 523135538
Command Line: C:\programdata\cp49s\pythonw.exe
There are a few things odd here. First, the name of the Scheduled Task (some random numbers). Second, the installation Path (Programdata\cp49s\). Third, Python is launched without any command-line arguments or a reference to a Python script, meaning the interpreter is started by itself.
Our initial hypothesis was DLL sideloading. After examining the Python directory, we identified a file named sitecustomize[.]py:
"Python's sitecustomize[.]py and usercustomize[.]py are scripts that execute automatically when Python starts, allowing for environment-specific customizations. Adversaries can exploit these files to maintain persistence by injecting malicious code." [1]
Path: C:\ProgramData\cp49s\Lib\sitecustomize[.]py
Content: See the image below.
So, this means that every time the Scheduled Task runs, the Python interpreter is executed, effectively loading the malicious Python file named b5yogiiy3c.dll. A pretty sneaky way, and something you should watch out for during your next hunting session or IR gig. 🤓