[TheRecord] Malicious Python packages caught stealing Discord tokens, installing shells

The operators of the Python Package Index (PyPI) have removed this week 11 Python libraries from their portal for various malicious behaviors, including the collection and theft of user data, passwords, and Discord access tokens and the installation of remote access shells for remote access to infected systems.

According to the security team at DevOps platform JFrog, which discovered this set of malicious libraries, the 11 packages had been downloaded and installed more than 30,000 times before the packages were spotted and reported.

Worth mentioning is that the packages did not appear to have been developed by the same author, as each contained a slightly different malicious behavior and method of exfiltrating data from infected systems, as detailed in the table below.

Package# of downloadsAutomated detection indicatorsDescriptionimportantpackage

important-package6305

12897Shell process with obfuscated input  Hidden connectback shell to psec.forward.io.global.prod.fastly.net, using the trevorc2 clientpptest10001Suspicious version²Uses DNS to send hostname+’|’+os.getcwd()+’|’+str(self.get_wan_ip())+’|’+local_ip_stripboards946Sensitive file handling Suspicious versionDependency confusion, sends user info (username, hostname) via DNS tunneling to b0a0374cd1cb4305002e.d.requestbin.netowlmoon3285eval with obfuscated input Discord token stealer trojan. Sends tokens to https://discord.com/api/webhooks/875931932360331294/wA0rLs3xX_2JgqlfqEfpYoL9zer_Qs7hpsMbwaDl6-UByE_ZRHiXm0t1lr-o_3RFBqBRDiscordSafety557exec with obfuscated inputDiscord token stealer trojan. Sends tokens to https://tornadodomain.000webhostapp.com/stlr.php?token=trrfab287Sensitive file handling Suspicious version Dependency confusion, sends user info (id, hostname, /etc/passwd, /etc/hosts, /home) to yxznlysc47wvrb9r9z211e1jbah15q.burpcollaborator.net10Cent10

10Cent11490

490Shell spawning Suspicious versionConnectback shell to hardcoded address 104.248.19.57yandex-yt4183Suspicious versionPrints pwned message and directs to https://nda.ya.ru/t/iHLfdCYw3jCVQZ, could be a malicious domain (currently seems inactive)yiffparty1859eval with obfuscated inputDiscord token stealer trojan. Sends tokens to https://discord.com/api/webhooks/875931932360331294/wA0rLs3xX_2JgqlfqEfpYoL9zer_Qs7hpsMbwaDl6-UByE_ZRHiXm0t1lr-o_3RFBqBR

Ten of the eleven packages were outright malicious, as it is clear from the table above. One, named yandex-yt, appears to be some sort of test or joke, but one that could easily turn into a malware delivery channel.

One important observation is that two of the 11 packages also abused a new technique called dependency confusion, a technique where attackers register packages with names that might be used inside closed corporate networks, hoping that their public package gets pulled when the corporate package was deleted and the dependency tree was not updated.

JFrog researchers have published an in-depth analysis for each of the 11 malicious PyPI packages they have discovered.

This marks the second time this year when JFrog researchers have discovered malicious Python libraries after finding another eight earlier this year, in July.

The post Malicious Python packages caught stealing Discord tokens, installing shells appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[HackerNews] New Wslink Malware Loader Runs as a Server and Executes Modules in Memory

All posts, HackerNews

Cybersecurity researchers on Wednesday took the wraps off a “simple yet remarkable” malware loader for malicious Windows binaries targeting Central Europe, North America and the Middle East. Codenamed “Wslink” by ESET, this previously undocumented malware stands apart from the rest in that it runs as a server and executes received modules in memory. There are […]

Read More

[BleepingComputer] Avaddon ransomware’s exit sheds light on victim landscape

A new report analyzes the recently released Avaddon ransomware decryption keys to shed light on the types of victims targeted by the threat actors and potential revenue they generated throughout their operation. […] Source: Read More (BleepingComputer)

Read More

[SecurityWeek] NSA Releases Guidance for Securing Enterprise Communication Systems

All posts, Security Week

The NSA on Thursday released guidance to help organizations secure their communication systems, specifically Unified Communications (UC) and Voice and Video over IP (VVoIP). UC and VVoIP are call-processing systems that are used for communications and collaboration by many enterprises, including government agencies and their contractors. read more Source: Read More (SecurityWeek RSS Feed)

Read More