You've probably heard of the Python module 'dateutil'. The module offers powerful extensions to the standard datetime library extensively used by Python developers. Yesterday, however, Sonatype's automated malware detection system caught a suspicious PyPI package called 'python-dateutils' that mines Monero (XMR) cryptocurrency on your system — whether Windows, Linux, or macOS, and steals AWS credentials.
From the name of it, the package is a clear typosquatting attack impersonating one or more legitimate packages: dateutil, python-dateutil, or yet another legitimate PyPI package 'dateutils'. There is also some indication that in the past 'python-dateutils' could have been a legitimate library used by developers [1, 2].
But, versions of 'python-dateutils' caught by us this week are malicious. We've included the detailed analysis below.
Combines Base64 obfuscation with ROT13 cipher
Sonatype's security research team has analyzed tens of thousands of malicious packages across npm, PyPI, and other open source ecosystems by now. And, over time we have come across several obfuscation techniques employed by threat actors — from steganography to Base64-encoding, minification, and most recently, threat actors using a ready-made packer or obfuscator like JSDefender.
Unlike some of the novel techniques, 'python-dateutils' uses a straightforward Base64-encoding for obfuscating text, some of which has been scrambled using the trivially reversible ROT13 cipher. Akin to the Caesar cipher of ancient times, ROT13 is a simple letter substitution cipher that replaces a letter with the 13th letter after it in the alphabet.
This becomes clear when we unpack one or more versions of the malicious 'python-dateutils' and peek into the setup.py manifest file:
The strings toward the bottom of the file (lines 6-8) are mere hexadecimal representations of the aforementioned ASCII variable names (magic, love, god, etc.) and just another obscure method employed by the malware author to instruct the Python interpreter to evaluate the encoded code.
A snippet from the decoded copy of the 'setup.py' file is shown below:
Uses MoneroOcean's GitHub Repo to mine Monero (XMR)
The Discord webhook seen in the decoded script (line 23) is actually being used to exfiltrate your IP address, operating system information, and sensitive data like AWS credentials as we explain further down in the post:
hXXps://discord[.]com/api/webhooks/991208558098141264/hLnYmQl9k38eM7PChAqZJzn6Jsele4fU04GLlaT-zfww0JdMw4j1zhazpUjBOjEuGzpA
Lines 38 and onwards is where the script determines whether you are running the Linux operating system, macOS, or Windows, and accordingly loads an appropriate crypto miner (a Bash or a PowerShell version of XMRing) from MoneroOcean's GitHub repository.
The attacker's wallet address used throughout the script regardless of your platform is: 4AZ6u7wEVZ7EDFAXCnZGkf1PwRPMDStboTzzwJhf1LcJiK3Ki4H2SgjVCnFsgkwDoVa5De6zWQaXUcsEz1Hgu7b1LnvBTpu
Another place where similar base64-encoded and ROT13-obfuscated code exists is the src/dateutil/__init__.py file within the 'python-dateutils' package. The 'dateutil' directory does contain some code from the legitimate Python module to help the malware authors mask their footsteps, but let's face it: '__init__.py' has echoes of the suspicious 'setup.py' file we just analyzed above.
Steals AWS credentials
Surely enough, decoding __init__.py reveals the complete story.
In addition to mining Monero (XMR) on your system, the package uses the aforementioned Discord webhook to exfiltrate your Amazon AWS credentials present in ~/.aws/credentials.
The exfiltration occurs as soon as the 'webhook' function is called (on lines 48, 52, and 56 below), uploading the collected credentials to the endpoint, in addition to your system's IP address, and fingerprinting information.
Fortunately, the package was taken down from the PyPI registry right as Sonatype was about to report it to the PyPI security team. According to PePy.tech, which monitors PyPI downloads, 'python-utils' received just under 1,000 downloads (from humans and bots/mirrors alike) before it was taken down.
Sonatype Repository Firewall users protected amid increasing attacks
The discovery follows our this week's disclosure of malicious Python packages caught stealing AWS keys, environment variables, and secrets, and uploading these to a publicly exposed endpoint!
Sonatype remains at the forefront of timely discovering and reporting attacks targeting developers, ecosystem, and the open source software supply chain, like the one discussed above.
Given the magnitude of malicious and bug bounty packages that we have identified and analyzed — in hundreds on a daily basis, it is evident that the open source software security problem has worsened in the last two quarters, with the need for automation now becoming indispensable more than ever.
Users of Sonatype Repository Firewall can rest easy knowing that such malicious packages would automatically be blocked from reaching their development builds.
Sonatype Repository Firewall instances will automatically quarantine any suspicious components detected by our automated malware detection systems while a manual review by a researcher is in the works, thereby keeping your software supply chain protected from the start.
Sonatype's world-class security research data, combined with our automated malware detection technology safeguards your developers, customers, and software supply chain from infections.
Written by Ax Sharma
Ax is a Staff Security Researcher & Malware Analyst at Sonatype with a penchant for open source software. His works and expert analyses have frequently been featured by leading media outlets including the BBC. Ax's expertise lies in security vulnerability research, reverse engineering, and cybercrime investigations. He has a passion for educating a wide range of audiences through writing and vlogs.
Explore All Posts by Ax Sharma