Researchers found a new zero-day attack embedded in three PyPI packages.
Researchers at the Fortiguard Labs team have discovered a zero-day attack by monitoring an open-source ecosystem. The attack was embedded in three PyPI packages named colorslib, libhttps, and httpslib that were published by an author called Lolip0p. The author joined the repository adjusting with the publishing date of the attack PyPI packages.
The supply chain attack using PyPI packages colorslib and httpslib were posted on January 7 and used the project description to their advantage to look legitimate. It mentioned features of colorslib such as being able to handle colors, generate boxes, manipulate test alignment, etc. And described it as, “A library designed for making working with terminal user interfaces easier.”
libhttps 4.6.12 came with specific features that ‘Lolip0p’ noted that included, thread safety, connection pooling, helpers for retrying requests and dealing with HTTP redirects, and so on. The convincing description for it read that it is a powerful HTTP client for Python. It said that the Python ecosystem already uses urllib3 and others should also use it.
The versions of all these PyPI packages were found to be malicious and shared a similar script, setup.py. The download URL despite being undetected by several researchers, showed as a malicious executable by some vendors.
Understanding the supply chain attack
For this attack using identical pypi packages in python the Powershell URL was https://dl[.]dropbox[.]com/s/mkd3enun97s8zag/Oxzy[.]exe?dl=0
And its VirusTotal entry showed that it had the binary exe (SHA 256) as 8dc8a9f5b5181911b0f4a051444c22e12d319878ea2a9eaaecab9686e876690b
Upon running the code update.exe, several files are saved in the %USER%\AppData\Local\Temp\onefile_%PID_%TIME%’ folder as shown below:
The malicious executables were:
- Oxzy.exe: Malicious_Behavior.SB
- update.exe: PossibleThreat.PALLASNET.H
- SearchProtocolHost.exe: Malicious_Behavior.SB
The indicators of compromise
- Malicious URLs
The same author posted separate Python packages with the same code for this supply chain attack. One of the files researchers pointed out was detected as malicious by several vendors. It was (SHA256): 123fd1c46a166c54ad66e66a10d53623af64c4b52b1827dfd8a96fdbf7675638.
Even though the malicious URLs were blocked by Fortinet, researchers urged users to be cautious in running codes that are authored by relatively newer users despite displaying a product description that looks legitimate. They also clarified that it does not make an author more reliable if they publish more than one package within a short span of time.