Security Researchers Discover a Potentially Dangerous Cross-Platform PWOBot Malware Family- PWOBot

Now this can be termed as devastating news for computer users around the world. Palo Alto Networks has discovered a family of malware that is capable of attacking a variety of platforms including Windows, Linux, and OS X.

The malware is written in Python, and as per the research from Palo Alto, it largely is spreading across Windows OS in Poland as of now. However, it is very much likely that it makes its operations global using its ability to switch between platforms.

Not only the malware execute itself but also log keystrokes and mine Bitcoins

The malware has been named PWOBot. The research firm believes that the malware is quite unique because, according to Palo Alto’s threat intelligence analyst Josh Grunzweig, it is “is written entirely in Python and compiled via PyInstaller to generate a Microsoft Windows executable.”

Grunzweig further added that “the malware has been witnessed affecting a number of Europe-based organizations, particularly in Poland. Additionally, the malware is delivered via a popular Polish file-sharing web service.”

“The malware itself provides a wealth of functionality, including the ability to download and execute files, execute Python code, log keystrokes, spawn an HTTP server and mine Bitcoins via the victim’s CPUs and GPUs.”

PWOBot has around 12 variants that were detected a few years back but they weren’t equipped with the cross-platform feature. This new addition has raised eyebrows of security researchers and OS developers.

Grunzweing further explained that “The attackers leverage PyInstaller to convert this Python code into a Microsoft Windows executable. However, as Python is being used, it can easily be ported to other operating systems, such as Linux or OS X.”

The malware uninstalls previous versions of the malware first and then it installs a newer version with obviously malevolent intentions. To do this, the malware queries about Run registry keys because a majority of its old versions utilize a particular ‘pwo[VERSION]’ format for Run registry. Here [VERSION] is PWOBot’s version number. Once its fresh version gets installed, the malware creates a copy of its executable and saves it to this location: %HOMEPATH%/pwo[VERSION].

The reason why this malware family is so threatening is that not just it has cross-platform feature but it also has a modular design.

Waqas

Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.