Malicious PyPI Packages Using Cloudflare Tunnels to Sneak Through Firewalls

Jan 09, 2023Ravie LakshmananNetwork Security / Supply Chain

In yet another campaign targeting the Python Package Index
(PyPI) repository, six malicious packages have been found deploying
information stealers on developer systems.

The now-removed packages, which were discovered^[1]
by Phylum between December 22 and December 31, 2022, include
pyrologin, easytimestamp, discorder, discord-dev, style.py, and
pythonstyles.

The malicious code, as is increasingly the case^[2], is concealed in the
setup script (setup.py) of these libraries, meaning running a “pip
install” command is enough to activate the malware deployment
process.

The malware is designed to launch a PowerShell script that
retrieves a ZIP archive file, install invasive dependencies such as
pynput, pydirectinput, and pyscreenshot, and run a Visual Basic
Script extracted from the archive to execute more PowerShell
code.

“These libraries allow one to control and monitor mouse and
keyboard input and capture screen contents,” Phylum said in a
technical report published last week.

The rogue packages are also capable of harvesting cookies, saved
passwords, and cryptocurrency wallet data from Google Chrome,
Mozilla Firefox, Microsoft Edge, Brave, Opera, Opera GX, and
Vivaldi browsers.

But in what’s a novel technique adopted by the threat actor, the
attack further attempts to download and install cloudflared^[3], a command-line tool for
Cloudflare Tunnel^[4], which offers a “secure
way to connect your resources to Cloudflare without a publicly
routable IP address.”

The idea, in a nutshell, is to leverage the tunnel to remotely
access the compromised machine via a Flask-based app, which harbors
a trojan dubbed xrat (but codenamed poweRAT by Phylum).

The malware enables the threat actor to run shell commands,
download remote files and execute them on the host, exfiltrate
files and entire directories, and even run arbitrary python
code.

The Flask application also supports a “live” feature that uses
JavaScript to listen to mouse and keyboard click events and capture
screenshots of the system in order to grab any sensitive
information entered by the victim.

“This thing is like a RAT on steroids,” Phylum said. “It has all
the basic RAT capabilities built into a nice web GUI with a
rudimentary remote desktop capability and a stealer to boot!”

The findings are yet another window into how attackers are
continuously evolving^[5]
their tactics to target open source package repositories and stage
supply chain attacks.

Late last month, Phylum also disclosed^[6]
a number of fraudulent npm modules that were found exfiltrating
environment variables from the installed systems.