VIPERTUNNEL Hijacks Python for Stealthy Ransomware Access

A recent investigation into a DragonForce ransomware engagement has pulled back the curtain on a highly sophisticated Python-based backdoor known as VIPERTUNNEL. The analysis, conducted by InfoGuard, reveals a threat that shuns traditional malware footprints in favor of deep-seated persistence and modular stealth.

The discovery began with the identification of a suspicious scheduled task configured to execute pythonw.exe without any command-line arguments—a behavior InfoGuard describes as “atypical in legitimate Windows environments”.

Rather than relying on typical script paths, the attackers utilized a novel persistence mechanism by placing malicious code within C:\ProgramData\cp49s\Lib\sitecustomize.py. Because this module auto-imports at startup, the malware is guaranteed to run whenever the Python interpreter begins. As the analysis notes, “Placing malicious code here ensures it runs whenever pythonw.exe starts, without command-line input”.

The malware uses multiple layers of obfuscation, including Base85 encoding, which allows it to “bypass systems focused on standard Base64 patterns” due to its higher density.

To further thwart analysts, the decryption routines employ control-flow flattening. This technique forces the script to run in a continuous loop with a state variable controlling the flow, ensuring it does not follow a linear sequence that would be easy to trace. The report clarifies that “these routines are the only mechanism to convert obfuscated blobs into executable logic”.

At its core, VIPERTUNNEL acts as a modular SOCKS5 proxy, creating an outbound tunnel to a hardcoded Command-and-Control (C2) server. It utilizes port 443 for these connections, “blending with typical HTTPS traffic to evade detection”.

The infrastructure is linked to the “Pyramid” framework, a specialized tool that uses the legitimate python.exe as a “Living off the Land” Binary (LOLBin) to execute code entirely in memory. InfoGuard’s research connects the malware to UNC2165 and EvilCorp, noting that its modular design and tunneling capabilities “match documented VIPERTUNNEL traits”.

While the current payloads target Windows environments, researchers uncovered a discovery in related samples of ShadowCoil, a credential-stealer sharing the same obfuscation framework. These samples included Linux-specific anti-debugging checks, such as searching for TracerPid in /proc/self/status.

The presence of these checks, despite the script’s primary focus on Windows browser paths, “suggests the obfuscation framework is cross-platform”. InfoGuard warns that “Linux anti-debugging hints at future Linux malware,” signaling that the authors are already preparing for a broader reach.