Intel Reports

Activity Summary - Week Ending on 25 May 2023:

• Red Sky Alliance identified 14,828 connections from new IP’s checking in with our Sinkholes
• Fiberxpress[.]net in the Netherlands hit 16,892x
• 2,333 ‘new’ Botnets hits
• 30 new zero-day attacks
• PyPI packages
• Canadian Risks
• People’s Right Hand

Red Sky Alliance Compromised (C2) IP’s  

Malware Activity 

On 24 May 2023, Red Sky Alliance identified 14,828 connections from new unique IP addresses, which are checking in with one of the many Red Sky Alliance sinkholed domains.

For a full black list – contact analysts: info@redskyalliance.com

Red Sky Alliance Botnet Tracker

On 24 May 2023, analysts identified 2,333 new IP addresses participating in various botnets (call for full .csv Blacklists, below are only a small sampling of botnet trackers).  We are currently upgrading this collection.

MALICIOUS CYBER TRENDS:

PyPI packages - the FortiGuard Labs team discovered over 30 new zero-day attacks in PyPI packages (Python Package Index).  These were found between late March and late April by monitoring an open-source ecosystem. In this blog, we will cover all the packages that were found, grouping them into similar attacks or behavior.[1]

1. The packages in the following set were found to be similar:

• tls-bypass (version 1.0)
• zproxy (version 1.0)
• stripe-client (version 1.0)
• stripepy (version 1.0)
• proxycpz (version 1.0)
• pycolorstrex (version 1.0)
• pyproxyx (version 1.0)
• colored-fidget (version 1.0)

The setup.py file in these packages tries to execute a Python script written to connect to a URL that may contain malicious code.

Figure 1: One of the variants of setup.py in set one

2. The next set of packages includes:

• ailzyn1tr0 (version 1.0)
• oauth20-api (version 1.0)
• bogdi (version 1.0)

The setup.py file in these packages tries to steal information, such as credit cards, wallets, account logins, etc. using a Discord webhook.

Figure 2: Code snippet of one of the variants of setup.py in set two

3. This set includes the following package:

• async-box (version 1.4.7)

The setup.py file in this package tries to download a zip file to a directory (depending on the Python version), extract its contents, run a script contained in the zip file, and then remove its directory.

Figure 3: Code snippet of setup.py in set three

4. This set includes the following package:

• seleniumunclickable (version 1.0.1)

The setup.py file in this package connects to a URL to download and run a potentially malicious script.

Figure 4: Code snippet of setup.py in set four

5. This set includes the following package:

pyobfexecute (versions 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5)

Its setup.py file tries to execute the encoded data shown in Figure 5.

Figure 5: Code snippet of one of the variants of setup.py in set five

The decoded data (shown below) tries to connect to a URL to write potentially malicious data to a Python script, which it then runs. It then removes the script.

Figure 6: Decoded setup.py

6. The packages in this set include:

• compilecls (versions 1.0.2, 1.0.3)
• randgenlib (version 1.0.2)
• pipcoloringlibary (version 1.0.0)
• pipcoloringliberyV2 (version 1.0.0)
• pythoncolourlibraryV1 (version 1.0.0)

Similar to set two, these packages tr yto steal sensitive information such as wallets, login information, cookies, etc., using a webhook. Its code includes a GitHub link to https://github.com/Inplex-sys/BlackCap-Grabber-NoDualHook, indicating that it may be a BlackCap webhook stealer. It also includes additional features, such as bypassing VM machines, hiding itself, and injection techniques, etc. This time, the malicious code is found in __init__.py

Figure 7: Code snippets of one of the variants of __init__.py in set six

7. Package seven includes:

• aietelegram (version 0.3)
• social-scapper (version 3.6)
• quick-telegram-sender (version 0.7)
• libidreq (version 0.1)
• setnetwork (version 0.3)
• tg-bulk-sender (version 2.3)
• social-scrappers (version 2.3)
• tiktok-phone-cheker (version 2.42)
• cloud-client (version 1.34)
• cloudfix (versions 0.0.0, 2)

When examining its setup.py, we found that it tries to run the encoded data shown below. Once decoded, we see that it creates and runs an executable file that accesses and exfiltrates sensitive data.

Figure 8: Code snippet of one of the variants of setup.py in set seven

Figure 9: Code snippet of decoded setup.py

8. This set includes the following package:

• roblopython (version 2.0.15)

This package’s setup.py file reveals the execution of encoded data, as shown in Figure 11. Once decoded (Figure 12), we see that it tries to retrieve potentially malicious data—most likely an executable from a URL—to write to a file, which it then tries to run.

Figure 10: setup.py in set eight

Figure 11: Decoded setup.py in set eight

9. This set includes the following package:

• pycalculate (version 1.0.0)

This package contains multiple layers of obfuscation in its setup.py file, as shown in Figure 12. While it could not fully run, it still dropped a script named ‘WindowsDefender.py,’ which provides clues that it will execute a potentially malicious script that it retrieved from a file-sharing website, as shown in Figure 13.

Figure 12: Code snippet of setup.py in set nine

Figure 13: Dropped script WindowsDefender.py

Conclusion - As this blog shows, we are seeing more—and more different—types of malicious Python packages being loaded into an open-source ecosystem, each with a unique method of attack. Given the increasing number and variety of attacks, end users should keep an eye out for suspicious packages and take caution before using them. We will continue to report current information on malicious packages to help users avoid becoming a victim of a supply chain attack.

IOC:

• tls-bypass-1.0 setup.py
• ffb2b2e714229f281add91aca0d57dcf
• zproxy-1.0 setup.py
• d4c635f97b6564b904803fc2aabbaed8
• ailzyn1tr0-1.0 setup.py
• 89db7b4665cff163931777f091f3b8f5
• stripe-client-1.0 setup.py
• 9b4d4447926c285f0b61cda94cd4c091
• stripepy-1.0 setup.py
• 3330f0addf70da913f2612a1f4160966
• proxycpz-1.0 setup.py
• 2377e6a74e114629130519fb11307c1e
• pycolorstrex-1.0 setup.py
• b916f12792f9fa268151a62fd251f5ba
• pyproxyx-1.0 setup.py
• 67bd8ac1e0dbfc1e97dcf3484dc94962
• colored-fidget-1.0 setup.py
• 8185f8b26899dc1a3fb21f28a707d416
• async-box-1.4.7 setup.py
• 6bf677c885d35e60469a03a5fbdf9d05
• seleniumunclickable-1.0.1 setup.py
• ef8c25e9f2898b3e4d6ae90c8f3326bb
• pyobfexecute-1.0.0 setup.py
• 0c7ef9ff1aa6063b2c05d7b6a90ac9e8
• pyobfexecute-1.0.1 setup.py
• 3ba67a5955c66e272ce9c0dc7899a303
• pyobfexecute-1.0.2 setup.py

3a52b545ec52c2690b3b3360e6aeabea

• pyobfexecute-1.0.3 setup.py

f7c4e2d0af6729d90490bed9ec5529bb

• pyobfexecute-1.0.4 setup.py

fb61ab7fedb684c5cc911f34e7694b97

• pyobfexecute-1.0.5 setup.py

0e254a2fe5f2b45e8d46473e1bf4261e

• compilecls-1.0.2 __init__.py

f35ceed9535442d8c54ae2c812981967

• compilecls-1.0.3 __init__.py

531c8cfcb06f317e3d2d6f5244065d0e

• randgenlib-1.0.2 __init__.py

72e54b41d47187beed081a19f5f492e9

• aietelegram-0.3 setup.py

31fc1f95991734c9b6934aa76ea0937f

• pipcoloringlibary-1.0.0 __init__.py

53ba97516240b344513be0ebf7bfac12

• social-scrapper-3.6 setup.py

51e2facc49ca409cb39388e97231db48

• quick-telegram-sender-0.7 setup.py

cf247e4436d2d44a4f426447fa125de6

• oauth20-api-1.0 setup.py

73e623a5ed9e8f55131c2e00e9660e8b

• libidreq-0.1 setup.py

31e30f8f40e0f917007a0771b3c671e2

• roblopython-2.0.15 setup.py

fcc64a48b6182a22952cc237d99d9350

• setnetwork-0.3 setup.py

9fa65e48a699f1540c8423844ae0da9f

• pycalculate-1.0.0 setup.py

faf2d569cdaf4e1337d7be27b148e72d

• pipcoloringliberyV2-1.0.0 __init__.py

53ba97516240b344513be0ebf7bfac12

• pythoncolourlibraryV1-1.0.0 __init__.py

df46d8d238eee6e283775ba3be6e73bf

• tg-bulk-sender-2.3 setup.py

047b511c33587734c658146e7802bd01

• social-scrappers-2.3 setup.py

0d5a0e3a2ff4d0e216eeac4068a80a79

• tiktok-phone-cheker-2.42 setup.py

9e060f032e7b4df22cd0bf3e2402e068

• bogdi-1.0 setup.py

84285525a2ab835d5200daedc331242a

• cloud-client-1.34 setup.py

350639460f29536d7e92e7e9616f5927

• cloudfix-0.0.0 setup.py

d7296063bbd8eefa39897972530db644

• cloudfix-2 setup.py

3d551ad49ad93382a33abe57da0d33c5

Malicious URLs

• hxxps://paste[.]website/p/400c3e4b-a59b-4598-a199-75e848aeaae3[.]txt
• hxxps://raw[.]githubusercontent[.]com/KSCHdsc/BlackCap-Inject/main/index[.]js

GLOBAL TRENDS:   

Canada - Trend Micro Incorporated announced the findings of its latest global Cyber Risk Index (CRI) for the second half of 2022.  According to the results, the overall global cyber-risk levels have improved from “elevated” to “moderate” for the first time.  While North America and Canada still stand at an elevated risk level,  Canada received a score of -0.03, which shows an improvement compared to the first half of the year (-0.30).  Results also revealed almost two-thirds (60%) of Canadian organizations still anticipate they’ll be breached in the next 12 months, with almost one-out-of-five (18%) claiming this is “very likely” to happen.[2]

Trend Micro: “For the first time since we’ve been running these surveys, we saw the global cyber-risk index not only improve but move into positive territory at +0.01.  Canada has also steadily shown improvement since our last survey, although there is still work to be done.  Canadian organizations must continue to take steps to improve their cyber-preparedness so they can stay ahead of the ever-evolving threats, especially since most anticipate a breach within the next year.”

Despite this improvement, most Canadian organizations are still pessimistic about their prospects over the coming year. The CRI found that most respondents in Canada said it was “somewhat to very likely” they’d suffer a breach of customer data (61%) or Information assets (e.g. intellectual property) (60%) or a successful cyber-attack (69%).

These figures represent a decrease of 14%, 19% and 17%, respectively, from the last report.  At a global level, the top four threats listed by respondents in the CRI 2H 2022 remained the same from the previous report:

• Clickjacking
• Business Email Compromise (BEC)
• Ransomware
• Fileless attacks
• “Botnets” replaced “login attacks” in fifth place.

Global respondents also named employees as representing three of their top five infrastructure risks:

• Negligent insiders
• Cloud computing infrastructure and providers
• Mobile/remote employees
• Shortage of qualified personnel
• Virtual computing environments (servers, endpoints)

Dr. Larry Ponemon, chairman and founder of Ponemon Institute, said: “As the shift to hybrid working gathers momentum, organizations are rightly concerned about the risk posed by negligent employees and the infrastructure used to support remote workers.  They will need to focus not only on technology solutions but people and processes to help mitigate these risks.”

People’s Right Hand - If there is a single common factor for most security breaches, it’s because people are involved. Humans are the reason for insecure passwords, lost secrets and compromised data if only because humans have trouble remembering the details of security.  While there are technical causes for many breaches, even there it’s often the human factor that ultimately leads to the technical weakness. Dealing with the human factor is where Right-Hand Cybersecurity comes in.

The company has built a “human risk management platform” to “help organizations measure which employees are the most breach prone, and then provide targeted nudges and micro modular training to help employees reduce their risk,” says its Co-Founder and CEO of Right-Hand Cybersecurity.  Aside from the significant financial losses that come from these incidents, one lesson has become increasingly clear: people remain the weakest link in the chain of cybersecurity systems.  The vast majority of cyber-attacks are caused by human error (such as clicking on a phishing link), using a found USB flash drive, or careless behavior (such as sharing sensitive information outside of a company’s network).[3]

Right-Hand said that by aggregating user data from its existing suite of cybersecurity tools the company creates a list of vectors of network vulnerability.  In turn, Right-Hand’s system considers the components of users’ risk scores to provide highly individualized training materials to correct behaviors in real-time rather than, say, once per quarter.

Cyber breaches and attacks against major organizations have become a common feature in today’s IT industry. For example, the WannaCry hacks in 2017, the Colonial Pipeline ransomware attack in 2021, and the ransomware attack against the San Francisco 49ers in 2022 are just a few of many that involve mistakes made by people charged with securing those networks.  However, many mainstream vendors designing the newest and most sophisticated cybersecurity tools remain strongly focused on the technical vulnerabilities that are often vectors for ransomware and other devastating attacks, but not always paying attention to the human factor.

 [1] https://www.fortinet.com/blog/threat-research/more-supply-chain-attacks-via-malicious-python-packages/

[2] https://www.canadianmanufacturing.com/manufacturing/trend-micros-cyber-risk-index-shows-69-of-canadian-organizations-predict-successful-attacks-incoming-291368/

[3] https://www.forbes.com/sites/waynerash/2023/05/23/right-hand-cybersecurity-focuses-on-human-behavior-to-mitigate-attacks/