Security researchers discovered yet another malicious PyPI package, whose goal is to steal people’s sensitive data and allow unauthenticated users access to the compromised endpoint.
The package, called “colorfool”, was obviously malicious, they said. It had a “suspiciously large” Python file whose only task was to download another file from the internet and run it, while making sure it stayed hidden from the device’s user.
"The function, therefore, immediately seemed suspicious and likely malicious," the report states.
"Borrowing" code
To make matters worse, that wasn’t even the only suspicious thing about this file. The URL from which the package needs to download the payload was hardcoded, which is another red flag.
The Python script - code.py - carried information-stealing functions, such as keylogging and cookie exfiltration. Besides, it was capable of stealing passwords, killing apps, grabbing screenshots, stealing crypto wallet data, and even use the device’s webcam.
What makes this package different from all the other malicious PyPI packages that security researchers discover on an almost daily basis is its Frankenstein-like nature. The code was patched together from parts of other people’s work, sometimes with no regard to logic, the code’s flow, or anything else, the researchers suggest. As if the author simply copied and pasted parts of the code, often leaving excess code to simply sit there.
"The combination of obfuscation alongside blatant malicious code indicates that it is unlikely that all the code was developed by a single entity," the researchers said. "It is possible that the final developer mostly utilized other people's code, adding it via copy and paste."
In fact, the code even carries the “Snake” game which doesn’t seem to be serving any particular purpose.
For the researchers, this is a perfect example of the “democratization of cybercrime”, where threat actors can simply take code from other threat actors and embed it into their work.
- Here are the best firewalls today
Via: The Register
