A fully-featured information stealer and remote access trojan has been discovered embedded into a malicious Python package uploaded to the Python Package Index, or PyPI. PyPI is the official repository of Python packages that has been increasingly used by threat actors to host and distribute malware.
The package, named colourfool, contains the information stealing malware, which has been dubbed Colour-Blind due to the package name. Like other malicious Python modules that have been seen on PyPI, Colour-Blind conceals its malicious code in the setup script, which is executed whenever the package is installed via the pip command. When executed, the setup script downloads a ZIP file from a hard-coded Discord URL contained with the script, unzips it, and executes the main payload. The malware starts a Flask web application on the infected system, allowing the threat actors to access it via Cloudflare’s reverse tunnel utility “cloudflared” regardless of any inbound firewall rules. This web application contains different modules to interact with the infected system, including the ability to disable security software, log keystrokes, and steal web browser and cryptocurrency wallet information. Persistence for the script is established via a Visual Basic script placed into the user’s Start Up folder, and data exfiltration is achieved by using transfer.sh, an anonymous file transfer website becoming increasingly popular among threat actors.
This campaign coincides with another campaign using PyPI to distribute malware, where thousands of fake packages were uploaded to the repository in an attempt to deploy a Rust-based information stealer.
PyPI and other language-based repositories are increasingly being used by threat actors to distribute malware. Due to this, it is important to make sure that package installations are being done in a secure manner, to prevent an incidental infection within an organization. It is recommended that all imported libraries into an application are verified by developers, to make sure that there are no accidental typos in library names. Threat actors rely on accidental typos when installing packages, so verifying that there are none prior to installation can help prevent such an attack from occurring. Likewise, it is recommended to use virtualized environments and sandboxes when developing and testing an application. This can help prevent an infection from occurring in a production or otherwise network-connected environment. Finally, deploying and maintaining endpoint security controls, such as an EDR, on all devices is highly recommended to help detect and prevent infections such as these. In cases where prevention does not occur, custom detections can be created to help alert analysts to a potential infection. Binary Defense’s Managed Detection and Response service is an excellent asset to help asset with these types of custom detection needs.