A lot of the recent buzz in the InfoSec community was about the IRONGATE malware. IRONGATE was recently discovered by FireEye while hunting for PyInstaller-crafted executables in VirusTotal.
PyInstaller is a program that converts Python scripts into stand-alone executables under Windows, Linux, and more. Due to the simplicity of Python development and the easy deployment of Python programs enabled by PyInstaller, malware authors are able to write sophisticated malware in no time.
But how can we defend against these kind of threats? We need to perform the following steps:
1. Identifying PyInstaller Executables
There’s a YARA signature created by Didier Stevens that can be used in either an automatic or a manual mode to detect PyInstaller files. This signature basically looks for a specific string which is unique to PyInstaller-crafted executables.
1. Identify PyInstaller executables
2. Analyze the PyInstaller executable by reviewing its original Python script code
3. Remediate according to the specific threat found
2. Analyzing The PyInstaller Executable
To deal with PyInstaller files, we can extract the original Python source code from any PyInstaller file and then analyze the code to get an understanding about its purpose, maliciousness, and full threat potential.
Unlike other executable binaries, for which we need to perform disassembly and review hard-to-read assembly code in order to fully analyze them, the process of analysis using PyInstaller is usually simple and fast. It fully exposes the entire Python code, making it easy to read.
Extracting the Python source code can be done by using the excellent pyinstxtractor project
It is used by running the pyinstallerextractor script:
pyinstxtractor py PYINSTALLER_TEST_FILE exe
Now, in the directory where you run pyinstxtractor, you should have the Python source code available to you. The only thing left is to rapidly read the code and analyze what it’s doing in your system.
Remediation for PyInstaller files is not especially different from any other cyber threats; it really depends on the security systems deployed in your organization, and the code of the threat itself.
If you need any assistance regarding a specific case, we would be happy to help — just visit our website or contact us via email at email@example.com