PyPI Malware Campaign Adds a Cloudflare Tunnel to Bypass Firewall Restrictions

  |  Source: 

PyPI Malware Campaign Adds a Cloudflare Tunnel to Bypass Firewall Restrictions

Phylum Research Team reports another PyPI (Python Package Index) malware campaign with at least six packages distributing information-stealing and remote access trojan (RAT) malware, implementing a Cloudflare tunnel, bypassing network firewall restrictions and allowing for remote access. Pythum discovered the malicious packages on Thursday, December 22nd, 2022, observing at "first glance, it looked like pretty standard Python malware calling exec on a decoded Base64-encoded string so we reported it and moved on. One thing that did stick out in this package, however, was the fetching of a zip file from a transfer[.]sh site and some strings that contained PowerShell code with 'SilentlyContinue' and -WindowStyle Hidden in it. This looked like a clear attempt to hide whatever code the attacker was trying to execute."

The attack chain beings through a python installer script (setup.py) which contains an encoded PowerShell script to download a ZIP file with 'Invoke-WebRequest.' When unzipped various Python dependencies are dropped into the host's local temp directory including libraries to enable screen capture, mouse movement, and files to facilitate network tunneling with Cloudflare. The installer script also uses WScript.exe to launch PowerShell.exe silently. Using the information-stealing malware and remote access trojan installed on the victim's host, the threat actors gather user credentials, cryptocurrency addresses, and files dropping any additional malware if necessary. Files collected are zipped and exfiltrated to the attacker's domain and a ping command issued to the attacker's onion site signals the completion of the data exfiltration. These malicious packages distributing malware have been reported by Phylum which has since been removed from PyPI.

Get trending threats published weekly by the Anvilogic team.

Sign Up Now