Supply Chain Attack Using Identical PyPI Packages, “colorslib”, “httpslib”, and “libhttps”

The FortiGuard Labs team has discovered a new 0-day attack embedded in three PyPI packages (Python Package Index) called ‘colorslib’, ‘httpslib’, and “libhttps”. They were found on January 10, 2023, by monitoring an open-source ecosystem. The Python packages “colorslib” and “httpslib” were published on January 7, 2023, and “libhttps” was published on January 12, 2023. All three were published by the same author, ‘Lolip0p’, as shown in the official PyPI repository.  ‘Lolip0p’ joined the repository close to the publish date.

The author puts the project description that may look legitimate and clean as shown below.

All versions of these packages are malicious.

Interestingly, when we look at the setup.py script for these packages, we find they are identical.

They try to run a PowerShell with a suspicious URL that needs further analysis:

https://dl[.]dropbox[.]com/s/mkd3enun97s8zag/Oxzy[.]exe?dl=0

As shown in the VirusTotal entry below, the download URL includes the following binary exe (SHA 256):

8dc8a9f5b5181911b0f4a051444c22e12d319878ea2a9eaaecab9686e876690b

While this download URL has not previously been detected by any other threat researchers, some vendors do flag the downloaded executable file as malicious.

The downloaded executable is called ‘Oxyz.exe’. It drops another executable, ‘update.exe’, that runs in the folder ‘%USER%\AppData\Local\Temp\’

As shown in the VirusTotal entry below, several vendors flag this binary exe as malicious (SHA 256):

293a3a2c8992636a5dba58ce088feb276ba39cf1b496b336eb7b6f65b1ddb757

When running ‘update.exe’, it drops a series of files to the folder ‘%USER%\AppData\Local\Temp\onefile_%PID_%TIME%’.

The dropped file, ‘SearchProtocolHost.exe’, is flagged as malicious by several vendors (SHA 256):

123fd1c46a166c54ad66e66a10d53623af64c4b52b1827dfd8a96fdbf7675638

Conclusion

In this blog, we showed a single author posting separate Python packages that use the same code to launch an attack. The author also positions each package as legitimate and clean by including a convincing project description. However, these packages download and run a malicious binary executable.

Python end users should always perform due diligence before downloading and running any packages, especially from new authors. And as can be seen, publishing more than one package in a short time period is no indication that an author is reliable.

Fortinet Protections

FortiGuard AntiVirus detects the malicious executables identified in this report as

Oxzy.exe: Malicious_Behavior.SB

update.exe: PossibleThreat.PALLASNET.H

SearchProtocolHost.exe: Malicious_Behavior.SB

The FortiGuard AntiVirus service is supported by FortiGate, FortiMail, FortiClient, and FortiEDR. Customers running current AntiVirus updates are protected.

The FortiGuard Web Filtering Service detects the download URLs cited in this report as Malicious and blocks them.

IOCs

Oxzy.exe

            8dc8a9f5b5181911b0f4a051444c22e12d319878ea2a9eaaecab9686e876690b

update.exe

            293a3a2c8992636a5dba58ce088feb276ba39cf1b496b336eb7b6f65b1ddb757

SearchProtocolHost.exe

            123fd1c46a166c54ad66e66a10d53623af64c4b52b1827dfd8a96fdbf7675638

Malicious URLs

https://dl[.]dropbox[.]com/s/mkd3enun97s8zag/Oxzy[.]exe?dl=0

Learn more about Fortinet’s FortiGuard Labs threat research and global intelligence organization and Fortinet’s FortiGuard AI-powered Security Services portfolio. Sign up to receive our threat research blogs.