Malicious PyPI Packages Using Cloudflare Tunnels to Sneak Through Firewalls

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,300
In yet another campaign targeting the Python Package Index (PyPI) repository, six malicious packages have been found deploying information stealers on developer systems.

The now-removed packages, which were discovered by Phylum between December 22 and December 31, 2022, include pyrologin, easytimestamp, discorder, discord-dev, style.py, and pythonstyles.

The malicious code, as is increasingly the case, is concealed in the setup script (setup.py) of these libraries, meaning running a "pip install" command is enough to activate the malware deployment process.

The malware is designed to launch a PowerShell script that retrieves a ZIP archive file, install invasive dependencies such as pynput, pydirectinput, and pyscreenshot, and run a Visual Basic Script extracted from the archive to execute more PowerShell code.

"These libraries allow one to control and monitor mouse and keyboard input and capture screen contents," Phylum said in a technical report published last week.

The rogue packages are also capable of harvesting cookies, saved passwords, and cryptocurrency wallet data from Google Chrome, Mozilla Firefox, Microsoft Edge, Brave, Opera, Opera GX, and Vivaldi browsers.

But in what's a novel technique adopted by the threat actor, the attack further attempts to download and install cloudflared, a command-line tool for Cloudflare Tunnel, which offers a "secure way to connect your resources to Cloudflare without a publicly routable IP address."

The idea, in a nutshell, is to leverage the tunnel to remotely access the compromised machine via a Flask-based app, which harbors a trojan dubbed xrat (but codenamed poweRAT by Phylum).

The malware enables the threat actor to run shell commands, download remote files and execute them on the host, exfiltrate files and entire directories, and even run arbitrary python code.

The Flask application also supports a "live" feature that uses JavaScript to listen to mouse and keyboard click events and capture screenshots of the system in order to grab any sensitive information entered by the victim.

"This thing is like a RAT on steroids," Phylum said. "It has all the basic RAT capabilities built into a nice web GUI with a rudimentary remote desktop capability and a stealer to boot!"
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top