Affected platforms: All platforms where PyPI packages can be installed
Impacted parties: Any individuals or institutions that have these malicious packages installed
Impact: Leak of credentials, sensitive information, etc.
Severity level: High

The Python Package Index (PyPI) is an open repository of software packages developed by the Python community to help people quickly develop or update applications. While most of the packages uploaded to PyPI are posted by dedicated individuals looking to support the Python community, threat actors also regularly post packages infected with malware. The FortiGuard Labs team uses a proprietary, AI-driven OSS malware detection system to hunt for and monitor these threats. Recently, we identified a PyPI malware author (who goes by the ID “WS”) discreetly uploading malicious packages to PyPI. We now estimate that there may be well over 2000 victims of “WS” just from the packages described below alone.

The identified packages—nigpal, figflix, telerer, seGMM, fbdebug, sGMM, myGens, NewGends, and TestLibs111—exhibit attack methodologies similar to those outlined in a Checkmarx blog post published four months ago. The similarity suggests a possible connection to a malicious campaign from early 2023. Notably, these packages incorporate base64-encoded source code of PE or other Python scripts within their setup.py files. Depending on the victim devices’ operating system, the final malicious payload is dropped and executed when these Python packages are installed.

A brief timeline of our findings about this info-stealing author is detailed below.

Figure 1: A brief timeline of malicious PyPI packages published by the author “WS”

The packages released before December 2023 are very similar to those discussed in earlier blog posts. Specifically, they deploy Whitesnake PE malware if the victim’s device runs on Windows, or they can deliver a Python script designed to steal information from Linux devices. A subtle distinction lies in the new method now being used by the Python script to transmit stolen data. Instead of relying on a single fixed URL, these new malware variants use a range of IP addresses as the destination, likely to ensure successful data transmission even if one server fails. Given the strong resemblance of these new packages to the previous ones, we will focus on analyzing the payloads from these more recent variants.

Unlike earlier attacks that targeted both Windows and Linux users, this recent set of packages predominantly targets Windows users. While the executable payload for each package varies slightly from one another, they consistently aim to exfiltrate sensitive information from victims.

Let’s take a brief look at a few of these payloads.

PE Payload of sGMM Package

Unlike the previous Whitesnake PE payloads developed using .NET, this sample manifests as a Python-compiled executable crafted using the PyInstaller tool.

Upon careful examination of its contents post-extraction, the primary script file is revealed as 'main.pyc' accompanied by an 'addresses.py' counterpart. The mere presence of this counterpart raises suspicions.

Figure 2: Extracted files

Figure 3: Decompiled main.pyc

PE Payload of myGens & NewGends Packages

This payload is an encrypted .NET executable. Upon being installed on the user’s device, the payload launches an invisible window of “cmd.exe.” It then uses "powershell.exe" through this window to add itself to the Windows Defender’s exclusion list to bypass the built-in security response:

Figure 5: Adding itself to the Windows Defender exclusion list

It then copies itself to the Windows Application folder and creates a scheduled task to run itself every hour once the device is infected:

• %LOCALAPPDATA%\Packages\Microsoft.Windows.Accounts.ControlRCP_ruzxpnew4af
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{070B9798-7C59-4A69-BB25-F353628999B0}\Path|\MicrosoftWindowsControlRCP

Figure 6: Confirmation of copying itself and scheduling a task

Figure 7: Decryption of “socket.io” and IP

Figure 8: User info grabber

Figure 9: List of Properties for the stealer

Figure 10: Snippet of code showing wallet grabbing

Figure 11: Function showing browser stealing

PE payload of TestLibs111 Package

Once this sample runs, we can observe data being sent to a suspicious IP address (194[.]36[.]177[.]30), as shown in Figure 12. At first glance, we might dismiss these as inconspicuous strings. However, further investigation shows this to be a .zip file shrouded in multiple layers of encryption. This raises serious concerns about its behavior.

Figure 12: Traffic sent to IP address 194[.]36[.]177[.]30

Figure 13: Hex dump of .zip file

Figure 14: Strings found in assembly code

Some of these strings may indicate info-stealing from different services, such as browsers, applications, and cryptocurrency services. Some examples we found included Chrome, Discord, Filezilla, and Coinbase.

When we extract the .zip file, we can see some of the collected content.

Figure 15: zip file contents

The author then exfiltrates this sensitive information to the server.

Conclusion

This blog demonstrates the ability of a single malware author to disseminate numerous info-stealing malware packages into the PyPI library over time, each featuring distinct payload intricacies. Users are urged to exercise utmost caution when using open-source packages, checking for malicious content or payloads that may render targeted devices susceptible to information theft. The narrative of this particular malware author has unfolded over several months and showcases the considerable amount of havoc that has been wrought. Information-stealing malware is an increasingly pertinent and pressing subject. Safeguarding against such persistent adversaries demands a strategic and forward-thinking approach to fortify your defenses.

Fortinet Protections

FortiGuard AntiVirus detects the malicious files identified in this report as

nigpal-0.1 setup.py: PYTHON/Agent.c51b!tr
nigpal payload: (PE) MSIL/WhiteSnake.C!tr
nigpal payload: (Python) PYTHON/Agent.7f73!tr
figflix-0.1 setup.py: PYTHON/Agent.c51b!tr
figflix-0.2 setup.py: PYTHON/Agent.c51b!tr
figflix payload: (PE) MSIL/WhiteSnake.C!tr
figflix payload: (Python) PYTHON/Agent.7f73!tr
telerer-2.0 setup.py: PYTHON/Agent.c51b!tr
telerer-2.1 setup.py: PYTHON/Agent.c51b!tr
telerer-2.2 setup.py: PYTHON/Agent.c51b!tr
telerer-2.3 setup.py: PYTHON/Agent.c51b!tr
telerer payload: W32/Kryptik.HTVT!tr
seGMM-1.3.1 setup.py: PYTHON/Agent.c51b!tr
seGMM-3.1.1 setup.py: PYTHON/Agent.c51b!tr
seGMM payload: W32/Kryptik.HTVT!tr
fbdebug-0.1 setup.py: PYTHON/Agent.c51b!tr
fbdebug payload (PE): MSIL/WhiteSnake.C!tr
fbdebug payload (Python): PYTHON/Agent.7f73!tr
sGMM-1.3.2 setup.py: PYTHON/Agent.c51b!tr
sGMM payload: W32/ClipBanker.DE!tr
myGens-1.3 setup.py: PYTHON/Agent.c51b!tr
myGens-1.3 payload: MSIL/Agent.ERW!tr.spy
NewGends-1.3 setup.py: PYTHON/Agent.c51b!tr
NewGends-1.3 payload: MSIL/Agent.ERW!tr.spy
TestLibs111-1.4 setup.py: PYTHON/Agent.c51b!tr
TestLibs111-1.5 setup.py: PYTHON/Agent.c51b!tr
TestLibs111-1.7 setup.py: PYTHON/Agent.c51b!tr
TestLibs111 payload: W32/Agent.ORR!tr.pws

The FortiGuard AntiVirus service is supported by FortiGate, FortiMail, FortiClient, and FortiEDR. Customers running current AntiVirus updates are protected.

The FortiGuard Web Filtering Service detects and blocks the download URLs cited in this report as Malicious.

The FortiDevSec SCA scanner detects malicious packages, including those cited in this report that may operate as dependencies in users' projects in test phases, and prevents those dependencies from being introduced into users' products.

If you believe these or any other cybersecurity threat has impacted your organization, please contact our Global FortiGuard Incident Response Team.

IOCs