FortiGuard Labs Threat Research
More Supply Chain Attacks via New Malicious Python Packages in PyPi
The FortiGuard Labs team has discovered another 0-day attack in the PyPI packages (Python Package Index) by the malware authors ‘Portugal’ and ‘Brazil’ who published the packages ‘xhttpsp’ and ‘httpssp’. These two packages were discovered on January 31, 2023, by monitoring an open-source ecosystem. They were both published on January 27, 2023. Each included one version and an empty description, as shown below.
Figure 1: Package ‘xhttpsp’ author information
Figure 2: Project description of ‘xhttpsp’
Figure 3: Package release history of ‘xhttpsp’
Figure 4: Package ‘httpssp’ author information
Figure 5: Project description of ‘httpssp’
Figure 6: Package release history of ‘httpssp’
The two packages included the same malicious code in their setup.py installation script, which appears to be encoded with Base64.
Figure 7: setup.py script
When we decoded the encoded string, we found python code, some of which are shown below.
Figure 8: Decoded string
Within the string, we find an interesting URL, ‘http://54[.]237[.]36[.]60/inject/QrvxFGKvsSJ5E5bx', which the malware reads and then writes to a file to execute.
This URL has not previously been detected by any other threat researchers.
Figure 9: The URL has not been detected by VirusTotal
When accessing the URL, we found heavily obfuscated code, shown below.
![Figure 10: Contents of the URL ‘http://54[.]237[.]36[.]60/inject/QrvxFGKvsSJ5E5bx’](/blog/threat-research/more-supply-chain-attacks-via-new-malicious-python-packages-in-pypi/_jcr_content/root/responsivegrid/image_338434604.img.png/1675756548802/fig10-content-url-sj535bx.png)
Figure 10: Contents of the URL ‘http://54[.]237[.]36[.]60/inject/QrvxFGKvsSJ5E5bx’
When we execute the decoded code from Figure 8, we notice that it drops a file to an arbitrary location with a random name and extension. This may be due to changes in the code every time the URL is refreshed. In this case, it drops the file to ‘%USER%\AppData\Local\Temp’ as ‘yzulmvnb.jpg’ and sets a registry key for auto-run.
Figure 11: Dropped file
Figure 12: Autorun set at startup
When examining the dropped file, we observe that it is another script similar to the one shown in the URL contents.
Figure 13: Contents of the dropped file
Let’s try executing this dropped file.
Figure 14: Dropped file running
One suspicious behavior when executing this file is that it drops a binary executable file to the ‘%USER%’ folder as ‘update.exe’.
Figure 15: Dropped executable file update.exe
A handful of vendors flag this dropped executable file as malicious (SHA 256):
618c11e03328eb0cc47ac21964479901dfaaa8a038e4145e247374169d6528f9
Figure 16: Vendors that detect the dropped executable file update.exe
As shown in Figure 14, it then runs a Powershell, which is another suspicious behavior. It also copies itself to ‘%USER%\AppData\Roaming\Google’ as ‘Chrome.exe’ and sets autorun for this copied executable.
Figure 17: Dropped copy as Chrome.exe
Figure 18: Autorun set at startup for Chrome.exe
When we dive into the ‘update.exe’ code, we see a binary embedded within it, as shown below.
Figure 19: Snippet of code of binary embedded in update.exe in dnSpy
Figure 20: Snippet of code of update.exe in dnSpy
The embedded binary is a .dll file. As shown in the VirusTotal entry below, many vendors flag this binary, ‘Rdudkye.dll,’ as malicious (SHA 256):
19e9dbfe9df33f17664e780909054b48c62d3dd66e11f31f3a657d18ac4c752f
Figure 21: Vendors that detect the binary Rdudkye.dll
While the code is very obfuscated, some functions give clues about what it may do or its capabilities. We can see some interesting functions such as DiscordApi, TelegramApi, Inject, ProcessHollowing, RemoteThreadInjection, HiddenStartup, etc.
Figure 22: Snippet of functions of Rdudkye.dll in dnSpy
This blog shows that although the malicious python script may appear simple, it is more complex than it seems with multiple layers. With just a simple copy and paste of a brief code, malware authors are able to easily distribute malicious packages to steal or exfiltrate sensitive data through platforms such as Discord and Telegram. A good indication of a malicious package is when a lot of obfuscation is involved. This technique is quite common among malware authors, so it may be a wise idea for Python end users to check twice for this before using new packages.
Fortinet Protections
FortiGuard Labs notified Python Package Index administrators about this malicious package, and they have confirmed that it has been taken down.
FortiGuard AntiVirus detects the malicious executables identified in this report as
update.exe: MSIL/Agent.OQX!tr.dldr
Rdudkye.dll: MSIL/Kryptik.AGJS!tr
The FortiGuard AntiVirus service is supported by FortiGate, FortiMail, FortiClient, and FortiEDR. Customers running current AntiVirus updates are protected.
The FortiGuard Web Filtering Service detects the download URLs cited in this report as Malicious and blocks them.
IOCs
update.exe
618c11e03328eb0cc47ac21964479901dfaaa8a038e4145e247374169d6528f9
Rdudkye.dll
19e9dbfe9df33f17664e780909054b48c62d3dd66e11f31f3a657d18ac4c752f
Malicious URLs
http://54[.]237[.]36[.]60/inject/QrvxFGKvsSJ5E5bx
Learn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard AI-powered security services portfolio.
