Supply Chain Attack via New Malicious Python Packages by Malware Author Core1337

The FortiGuard Labs team recently discovered several new 0-day attacks in the PyPI packages (Python Package Index) by malware author ‘Core1337’, who published the following packages: ‘3m-promo-gen-api’, ‘Ai-Solver-gen’, ‘hypixel-coins’, ‘httpxrequesterv2’, and ‘httpxrequester’. These attacks were published between January 27 to January 29, 2023. Each package had one version and an empty description, and all contained similar malicious code. For brevity, this blog will examine the ‘3m-promo-gen-api’ package as representative of the entire set.

The first thing we notice in its setup.py is what looks like a webhook URL:

hxxps://discord[.]com/api/webhooks/1069214746395562004/sejnJnNA3lWgkWC4V86RaFzaiUQ3dIAG958qwAUkLCkYjJ7scZhoa-KkRgBOhQw8Ecqd

Each package includes similar code in their setup.py except for the webhook URL. Examining the URL shows it may be related to a “Spidey Bot” malware known to steal personal information through Discord, as seen in our previous blog about the package web3-essential.

When we perform a static analysis by looking through its setup.py script, we spot several potential malicious behaviors, described below. Note that all the figures are from setup.py.

Looking at the primary function, we get a general idea of malware behavior that may try to retrieve sensitive information from different browsers and Discord and save it to a file for exfiltration.

Let’s look at the ‘getPassw’ function, for example. Below, it attempts to gather user and password information from the browsers listed in Figure 6 and then save it to a text file. The list of websites in Figure 8 may be used for retrieving the information mentioned earlier. We also see that the malware names itself ‘Fade Stealer,’ which can be seen when it writes its name at the top of its text file. Similar behavior is found in its ‘getCookie’ function.

Looking at the ‘upload’ function, we can see clear clues about what it may do, such as using the webhook URL to steal files and data, as discussed above. 

From the functions ‘Kiwi’, ‘KiwiFile’, and ‘uploadToAnonfiles’, we can safely assume that it looks through specific folders and picks up specific file names for file transfer through the file-sharing site ‘https://transfer.sh/’. Many of these keywords are related to logins, accounts, banks, etc.

Conclusion

In this blog, a single malware author published several packages with entirely different names but with similar codes designed to launch attacks. The malware authors can execute malicious attacks with a single python script, such as stealing sensitive information using webhooks on Discord.

Fortinet Protections

FortiGuard Labs notified Python Package Index administrators about this malicious package, and they have confirmed that it has been taken down.

FortiGuard AntiVirus detects the malicious scripts identified in this report as

setup.py: Python/Agent.DC4D!tr.pws

The FortiGuard AntiVirus service is supported by FortiGate, FortiMail, FortiClient, and FortiEDR. Customers running current AntiVirus updates are protected.

The FortiGuard Web Filtering Service detects the download URLs cited in this report as Malicious and blocks them.

If you think this or any other cybersecurity threat has impacted you, contact our Global FortiGuard Incident Response Team. 

Learn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard AI-powered security services portfolio.

IOCs

setup.py

            915b75ea258a42c5c1916d18a42302bbafa960bdafea1588b772d5284eec1997

Malicious URLs

hxxps://discord[.]com/api/webhooks/1069214746395562004/sejnJnNA3lWgkWC4V86RaFzaiUQ3dIAG958qwAUkLCkYjJ7scZhoa-KkRgBOhQw8Ecqd