Malicious PyPI Packages Bypass Firewall Restrictions via Cloudflare Tunnels

Researchers discovered that six packages on PyPI, the Python Package Index, are laced with remote access trojan (RAT) and information-stealing malware, and use Cloudflare tunnels to evade firewalls.

The rogue packages’ abilities include keylogging, shell command execution and theft of critical user information from browsers, according to Phylum’s security advisory.

Security experts first detected the malicious content on Dec. 22, 2022, but the perpetrators continued to upload poisoned packages until December 31. The list of compromised packages is as follows:

• pyrologin
• easytimestamp
• discorder
• discord-dev
• style.py
• pythonstyles

The first malicious package detected was pyrologin; researchers initially believed it was “standard Python malware.” Upon closer inspection, though, they discovered the package also fetched an archive from a third-party website and contained PowerShell commands meant to obfuscate the code.

“One thing that did stick out in this package, however, was the fetching of a zip file from a transfer[.]sh site and some strings that contained PowerShell code with 'SilentlyContinue' and -WindowStyle Hidden in it,” reads Phylum’s announcement. “This looked like a clear attempt to hide whatever code the attacker was trying to execute.”

After retrieving the archive, the script unpacks it on the compromised device and installs a series of requirements to enable screenshot capturing and remote control. The malicious script avoids detection by using the -ErrorAction SilentlyContinue flag to continue running stealthily, even if it encounters errors.

Included in the archive is a server component that launches four threads:

• The first thread tries for persistence by infiltrating the Windows Startup folder
• The second thread pings a proxied onion site
• The third starts a keylogger on the compromised machine
• The final thread is the actual info-stealer, able to exfiltrate data, including browser passwords, cookies, Telegram data, crypto wallets and Discord tokens

At this step, the script uses a different Python script included in the archive to install a Cloudflare Tunnel on the victim’s machine. The Cloudflare Tunnel’s abilities let perpetrators make the compromised device remotely accessible without opening ports or configuring firewall rules.

Threat actors combine the firewall-dodging capabilities of the tunnel with a remote access trojan planted on the infected device to:

• Execute arbitrary code remotely
• Download and execute malicious payloads
• Exfiltrate specific files
• Harvest information about the victim (username, IP address)
• Dump all logins
• Run shell commands
• View a live remote desktop feed of the compromised machine

Although the malicious packages have been removed from PyPI and their publishers have been banned, the threat actors could still find their way back to the repository.

Despite their removal from the platform, they might still be installed on compromised devices. Users who have installed the compromised apps on their machines must remove them manually.

Dedicated software such as Bitdefender Ultimate Security can keep you safe from trojans, info-stealers and other cyber threats with its extensive range of features, including:

• Continuous, all-around protection against viruses, worms, Trojans, spyware, rootkits, zero-day exploits, and other e-threats
• Network-threat prevention module that identifies suspicious network-level activities and blocks them before they harm you
• Behavioral detection technology that keeps a close eye on active apps and takes instant action upon detecting suspicious activity