Another PyPl package is found to just simply be a load of malware

Magnifying glass enlarging the word 'malware' in computer machine code
(Image credit: Shutterstock)

Security researchers discovered yet another malicious PyPI package, whose goal is to steal people’s sensitive data and allow unauthenticated users access to the compromised endpoint.

The package, called “colorfool”, was obviously malicious, they said. It had a “suspiciously large” Python file whose only task was to download another file from the internet and run it, while making sure it stayed hidden from the device’s user.

"The function, therefore, immediately seemed suspicious and likely malicious," the report states.

"Borrowing" code

To make matters worse, that wasn’t even the only suspicious thing about this file. The URL from which the package needs to download the payload was hardcoded, which is another red flag. 

The Python script - code.py - carried information-stealing functions, such as keylogging and cookie exfiltration. Besides, it was capable of stealing passwords, killing apps, grabbing screenshots, stealing crypto wallet data, and even use the device’s webcam.

What makes this package different from all the other malicious PyPI packages that security researchers discover on an almost daily basis is its Frankenstein-like nature. The code was patched together from parts of other people’s work, sometimes with no regard to logic, the code’s flow, or anything else, the researchers suggest. As if the author simply copied and pasted parts of the code, often leaving excess code to simply sit there.

"The combination of obfuscation alongside blatant malicious code indicates that it is unlikely that all the code was developed by a single entity," the researchers said. "It is possible that the final developer mostly utilized other people's code, adding it via copy and paste."

In fact, the code even carries the “Snake” game which doesn’t seem to be serving any particular purpose.

For the researchers, this is a perfect example of the “democratization of cybercrime”, where threat actors can simply take code from other threat actors and embed it into their work.

Via: The Register

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.