Malicious Python Packages on PyPI: A Growing Threat to Developers

Cybersecurity researchers from Fortinet FortiGuard Labs have identified two malicious Python packages uploaded to the Python Package Index (PyPI) repository. These packages, named zebo and cometlogger, were specifically crafted to exfiltrate sensitive information from compromised systems. Before being removed from PyPI, the packages attracted 118 and 164 downloads, respectively, with the majority of these downloads originating from the United States, China, Russia, and India.

Overview of the Malicious Packages

Zebo: A Surveillance Tool in Disguise

Zebo is a classic example of a malicious package. Its functions are tailored for surveillance, data exfiltration, and unauthorized control. Notably, the package employs obfuscation techniques to hide its malicious intent.

• Command-and-Control Communication
  Zebo communicates with a remote command-and-control (C2) server using HTTP requests. The URL for the C2 server is concealed through hex-encoded strings, making detection more challenging.

• Data Harvesting Capabilities

  • Keystroke Logging: Uses the pynput library to record user keystrokes.

  • Screenshot Capture: Periodically captures screenshots using ImageGrab and saves them locally every hour. The screenshots are later uploaded to the free image hosting service ImgBB, with an API key fetched from the C2 server.

• Persistence Mechanism
  Zebo establishes persistence by creating a batch script that launches its Python code. This script is added to the Windows Startup folder, ensuring the malware executes automatically upon system reboot.

Cometlogger: A Multifunctional Data Stealer

Cometlogger is a more sophisticated package with an extensive range of malicious functionalities. It targets sensitive data and performs checks to evade detection.

• Data Exfiltration
  Cometlogger siphons data from various applications and services, including:

  • Apps: Discord, Steam, Instagram, X (formerly Twitter), TikTok, Reddit, Twitch, Spotify, and Roblox.

  • System Information: Gathers metadata, network and Wi-Fi details, a list of running processes, and clipboard content.

  • Credentials and Cookies: Steals account-related information such as passwords and cookies.

• Evasion Tactics
  The malware incorporates mechanisms to detect and avoid running in virtualized environments, ensuring it operates effectively on real systems. It also terminates web browser processes to gain unrestricted access to stored files.

• Efficiency in Data Theft
  By asynchronously executing tasks, Cometlogger is capable of stealing significant amounts of data in a short time, maximizing its impact on compromised systems.

Technical Analysis and Indicators of Malicious Activity

• Obfuscation: Both packages employ obfuscation techniques to evade detection, with hex-encoded strings being a common feature.

• Dynamic Functionality: The use of external APIs (e.g., ImgBB) and webhooks facilitates seamless exfiltration of data.

• Anti-VM Checks: These ensure the malware doesn't execute in virtualized or sandboxed environments, making it harder for researchers to analyze its behavior.

Impact on Developers and End Users

The discovery of zebo and cometlogger underscores the risks posed by malicious packages on open-source platforms like PyPI. These threats can have wide-ranging consequences, including:

1. Data Theft: Unauthorized access to sensitive personal and organizational data.

2. Compromised Applications: Integration of malicious code into legitimate projects can propagate the threat further.

3. Erosion of Trust: Increased difficulty in discerning between trustworthy and malicious packages.

Best Practices for Mitigating Risk

To protect against such threats, developers and organizations should adopt robust security practices:

1. Validate Packages: Always review and scrutinize code before executing it, especially from unverified or new sources.

2. Use Reputable Sources: Rely on trusted and well-maintained packages with a history of legitimate use.

3. Implement Static and Dynamic Analysis: Employ tools to analyze the behavior of packages before integrating them into your projects.

4. Enable Multi-Factor Authentication (MFA): Use MFA to secure accounts associated with development environments.

5. Monitor Dependencies: Regularly audit dependencies to detect and replace compromised packages.

Conclusion

The discovery of zebo and cometlogger highlights the evolving sophistication of attackers targeting software supply chains. While these malicious packages have been removed from PyPI, the incident serves as a stark reminder of the importance of vigilance in managing third-party dependencies. Developers must remain cautious, thoroughly vetting packages and staying informed about emerging threats to safeguard their projects and data.