Dec 24, 2024Ravie LakshmananMalware / Data Exfiltration

Cybersecurity researchers have flagged two malicious packages that were uploaded to the Python Package Index (PyPI) repository and came fitted with capabilities to exfiltrate sensitive information from compromised hosts, according to new findings from Fortinet FortiGuard Labs.

The packages, named zebo and cometlogger, attracted 118 and 164 downloads each, prior to them being taken down. According to ClickPy statistics, a majority of these downloads came from the United States, China, Russia, and India.

Zebo is a “typical example of malware, with functions designed for surveillance, data exfiltration, and unauthorized control,” security researcher Jenna Wang said, adding cometlogger “also shows signs of malicious behavior, including dynamic file manipulation, webhook injection, stealing information, and anti-[virtual machine] checks.”

The first of the two packages, zebo, uses obfuscation techniques, such as hex-encoded strings, to conceal the URL of the command-and-control (C2) server it communicates with over HTTP requests.

It also packs in a slew of features to harvest data, including leveraging the pynput library to capture keystrokes and ImageGrab to periodically grab screenshots every hour and save them to a local folder, prior to uploading them to the free image hosting service ImgBB using an API key retrieved from the C2 server.

In addition to exfiltrating sensitive data, the malware sets up persistence on the machine by creating a batch script that launches the Python code and adds it to the Windows Startup folder so that it’s automatically executed upon every reboot.

Cometlogger, on the other hand, is a lot of feature-packed, siphoning a wide range of information, including cookies, passwords, tokens, and account-related data from apps such as Discord, Steam, Instagram, X, TikTok, Reddit, Twitch, Spotify, and Roblox.

It’s also capable of harvesting system metadata, network and Wi-Fi information, a list of running processes, and clipboard content. Furthermore, it incorporates checks to avoid running in virtualized environments and terminates web browser-related processes to ensure unrestricted file access.

“By asynchronously executing tasks, the script maximizes efficiency, stealing large amounts of data in a short time,” Wang said.

“While some features could be part of a legitimate tool, the lack of transparency and suspicious functionality make it unsafe to execute. Always scrutinize code before running it and avoid interacting with scripts from unverified sources.”