Recently, researchers have identified a malicious PyPI package that delivers a fully-featured information stealer and remote access trojan dubbed Colour-Blind.

PyPI repositories have been a frequent and easy target of several attackers, as anyone can publish packages without any need for thorough user validation or code testing. 

What has been discovered?

According to Kroll researchers, the suspicious package, named colourfool, comprises a single file setup[.]py designed to download a file from pastebin[.]com.
  • The Python file attempts to execute the downloaded file (code.py) without catching the user’s attention. For this, during the installation process, it redirects all the output messages to the null device.
  • Upon failure, the file returns a hardcoded Discord URL.
  • It copies the downloaded file into the same directory in which the interpreter python[.]exe resides. Additionally, it performs checks with the copy functionality to avoid reinfection.

The payload

The installed package, code[.]py is a Python script, comparatively larger (over 300 KB) than the first stage script, and comprises over 2,000 lines of code.
  • It contains several modules with the ability to log keystrokes, execute commands, peek into the web camera, and steal cookies, passwords, and crypto wallet data.
  • One module, dubbed disable_antivirus, is designed to disable Microsoft Defender.
  • The developer used several tricks to obfuscate the malicious code: using machine-readable variable names: encrypting the Pastebin URL to hide the actual domain name (clearstride[.]io); ensuring the victim's device is not running in a VM or a sandbox. 
  • It, further, uses the legitimate file hosting service transfer[.]sh for data exfiltration, and establishes persistence via another Visual Basic script (Essentials.vbs) that creates a batch file to initiate the malware during the Windows startup process.

Ending notes

In the past few months, several researchers have observed malicious packages flooding PyPI. Last month, researchers observed a wave of attacks in which several malicious packages were observed targeting the PyPI repository. To stay protected, users are urged to stay cautious when downloading and running any packages and double-check the reviews and author details.
Cyware Publisher

Publisher

Cyware