Windows PCs are currently under attack by a new, previously undiscovered Python-based malware that steals passwords and other sensitive data from victims' browsers.

According to threat analysis firm Securonix (opens in new tab), the malware is a remote access trojan (RAT) named PY#RATION. The malware is currently being spread through a phishing campaign that uses a password-protected ZIP file attached to an email containing two .lnk files disguised as images depicting the front and back of a driver's license.

PY#RATION differs from other Windows malware in that, according to BleepingComputer (opens in new tab), it uses the WebSocket protocol to communicate with a command and control (C&C) server to which stolen data is sent from the infected PC. protocol to communicate with the command-and-control (C&C) server to which the stolen data is sent from the infected PC.

Although new research on this malware has just come to light, Securonix researchers note that it is currently being used in attacks and that they have observed multiple versions of PY#RATION since its appearance last August.

When launched, the two shortcuts contained in the ZIP file execute malicious code in the background while the unsuspecting user views images of driver's licenses. This code is used to contact a C&C server controlled by the attacker and download two text (.txt) files renamed to BAT (.bat) files.

However, the malware also creates "Cortana" and "Cortana/Setup" directories in the victim's temporary folder. From this location, other executables are then downloaded, unzipped, and executed.

PY#RATION can build persistence and scaffolding on infected Windows PCs by adding a batch file called "CortanaAssist.bat" to the user's startup directory. This makes detection difficult because infected users may believe that this malware is a legitimate Windows system file rather than a virus hiding in plain sight.

Microsoft's Virtual Assistant is not as prevalent as it once was, but is still included in Windows 10 and Windows 11. However, in the latest versions of Windows, Cortana is no longer pinned to the taskbar. Fortunately, you can also uninstall Cortana if you find Microsoft's virtual assistant too invasive.

The latest version of PY#RATION (1.6.0) includes a number of features that make it easier for hackers to steal data from infected PCs.

For example, the malware can transfer files to and from C&C servers, record keystrokes, detect whether an infected machine is running antivirus software, steal clipboard data, and extract both passwords and cookies from web browsers. Both passwords and cookies can be extracted from web browsers. All of this stolen data can be used to commit fraud or identity theft.

PY#RATION can steal data from Google Chrome, Brave, Opera, and Microsoft Edge, as well as user and system data from infected PCs, as well as from the best cryptocurrency wallets.

Securonix notes that since the primary language used in PY#RATION is English and the lure image used in this campaign is a UK driver's license, this malware is likely being used to target Windows users in the UK or North America The report points out that this malware is likely being used to target Windows users in the UK or North America.

To stay safe from this and other malware, one should avoid opening email attachments from unknown senders. The file inside may seem innocuous at first glance, but as in this case, malicious things may be going on behind the scenes.

Installing the best antivirus software can prevent malware from infecting your PC. To keep your passwords and other sensitive data safe, use the best password manager instead of storing passwords in your browser. That way, even if a hacker infects your computer with malware, it will be more difficult for them to obtain your passwords.

Securonix's shedding of light on PY#RATION will reveal more about this new Windows malware, including details about the hackers who use it in their attacks.