Resources Blog PyPI attackers still at it: Malicious packages drop trojans ...

PyPI attackers still at it: Malicious packages drop trojans and info-stealers

This month, Sonatype’s automated malicious open source and malware detection systems flagged hundreds of malicious packages, 10 of which we have analyzed in this blog post.

From packages employing obfuscation seen before, to those named after the well-known npm “colors” library but dropping trojans – our findings from this month comprise a variety of open source threats.

The malicious packages named after npm library “colors,” are ironically Python packages published to the PyPI registry. These are called:

  1. broke-rcl
  2. brokescolors
  3. brokescolors2
  4. brokescolors3
  5. brokesrcl
  6. trexcolors

All of these packages were published by a PyPI account named ‘broke.’ The account and these packages have since been taken down after Sonatype privately reported our findings to PyPI, prior to publishing.

6.22.23 Ax Blog Post 1 (1)


These packages target the Windows operating system and are identical with regards to their versioning – each with only a 0.0.0 version available, and the payload contained within them. 

Upon installation, these packages simply download and run a trojan hosted on Discord’s servers.

6.22.23 Ax Blog Post 2 (1)

Likewise, for ‘trexcolors’ we see a ‘trex.exe’ being downloaded and run as soon as the package is installed:

6.22.23 Ax Blog Post 3 (1)

According to VirusTotal, ‘trex.exe’ is a known trojan and info-stealer. It further contains code to evade detection and deter reverse engineering practices, in an attempt to hinder analysis.

Cross-platform ‘libiobe’ malware


Another PyPI package we came across in addition to the aforementioned ones, is called ‘libiobe’ which appears to be named after a legitimate library called, ‘iobes.’ The package, analyzed by Sonatype security researcher Carlos Fernandez, targets users of both Windows and Unix operating systems.

For users running Windows, it’ll drop a malicious executable packed inline within the source code as a base64-string. This executable which once again is a trojan and info-stealer is named ‘V0d220823bb829d3fcc62d10adf.exe’ [VirusTotal analysis] and dropped by the package in a temporary folder, not readily visible to the end user.

For those on Linux/Unix systems, a minified Python code (also base64-encoded) runs instead.
The code in question, “profiles the system and sends the fingerprinting data to a Telegram endpoint,” explains Fernandez:

6.22.23 Ax Blog Post 4 (1)

Magic, love, god, destiny, joy, trust


Other than these PyPI packages, we identified FNBOT2, TAGADAY, and ZUPPA that ran obfuscated code packed into 6 variables named magic, love, god, destiny, joy, and trust – a pattern we have seen with packages running cryptominers before.

6.22.23 Ax Blog Post 5 (1)

This particular type of obfuscation has been used before by malware authors who typically rely on speedy online tools, like the one provided by development-tools.net.

It is hard to ascertain who would ultimately run packages with such names or who they are specifically targeting. While these packages may not be employing any novel payload or tactics, or have obvious targets, they are a testament to the ongoing malicious attacks that are targeting open source software registries like PyPI and npm.

Users of Sonatype Repository Firewall can rest easy knowing that such malicious packages would automatically be blocked from reaching their development builds.

 

Picture of Ax Sharma

Written by Ax Sharma

Ax is a Staff Security Researcher & Malware Analyst at Sonatype with a penchant for open source software. His works and expert analyses have frequently been featured by leading media outlets including the BBC. Ax's expertise lies in security vulnerability research, reverse engineering, and cybercrime investigations. He has a passion for educating a wide range of audiences through writing and vlogs.