3 min Security

Two malicious Python packages revealed by FortiGuard Labs

Two malicious Python packages revealed by FortiGuard Labs

A report by FortiGuard Labs warns of two newly discovered malicious Python packages. They pose a high risk of login theft, data exfiltration and unauthorized system access.

The first vulnerability, Zebo-0.1.0, appears to exhibit advanced malware behavior, including obfuscation techniques to hide functionality. And to make it difficult for security tools to identify the malware as malicious.

The malware includes keylogging and support for exfiltrating sensitive data to remote servers. This poses a serious threat to user privacy and system integrity.

Zebo-0.1.0 uses libraries such as pynput for keylogging and ImageGrab for taking screenshots. This allows the malware to record every keystroke and take periodic snapshots of the user’s desktop. This can reveal passwords, financial information and other sensitive data. The malware stores the data locally before sending it via hidden HTTP requests to a Firebase database, allowing attackers to access the stolen information without detection.

Zebo-0.1.0 also uses a persistence mechanism to ensure that the malware is executed again each time the infected system boots up. This is done by creating scripts and batch files in the Windows startup folder. They allow it to remain present on the system without the user’s knowledge, making it difficult to remove and allowing for long-term data theft and surveillance.

Malicious Features

The second vulnerability, Cometlogger-0.1, comes with malicious functions targeting system credentials and user data. The malware dynamically injects webhooks into the code at runtime, allowing it to send sensitive data, including passwords and tokens, to remote servers the attackers manage.

Cometlogger-0.1 also has capabilities to bypass detection and disrupt analysis. One capability, anti-virtual machine detection, checks for signs of sandbox environments commonly used by security researchers. If it detects VM indicators, execution of the malware stops, allowing it to bypass analysis and go undetected in live environments.

Account hijacking

Fortinet considers both forms of identified malware to be bad. However, the researchers do say that Cometlogger-0.1 goes to another level with its ability to steal a wide range of user data. These include session cookies, stored passwords and browser history. It can also target data from services such as Discord, X and Steam. This opens the door for account hijacking and identity mimicking.

“The script (Cometlogger-0.1) exhibits several features of malicious intent, including dynamic file manipulation, webhook injection, information stealing, ANTI-VM,” the researchers note. “While some features may be part of a legitimate tool, the lack of transparency and suspicious functionality make it unsafe to execute.”

The researchers state that to prevent infection it is important always to verify third-party scripts and executables before they are executed. Organizations should also implement firewalls and intrusion detection systems to identify suspicious network activity. One must train employees to recognize phishing attempts. And to prevent unauthenticated scripts from being executed.

Read more: Python dethrones JavaScript as most-used language on GitHub