FortiGuard Labs Threat Research
New Supply Chain Attack Uses Python Package Index “aioconsol”
Our team has discovered another 0-day attack embedded in a PyPI package (Python Package Index). This one is called “aioconsol.” It was found on December 9, 2022, by monitoring an open-source ecosystem. This Python package was published on December 6, 2022, as shown in its official PyPI repository. As can be seen, all three versions of this malware were published on the same day. Like the “shaderz” zero-day PyPI attack we discovered and posted last week, this malicious package does not include a clear description of its project or source page.
Figure 1: Blank project description
Figure 2: Release history
Version 2.0 of the package includes malicious code in its setup.py installation script that writes what appears to be a binary to a file called “test.exe” and executes it as a part of its installation.
Figure 3: setup.py from version 2.0
In the previous versions, 1.0 and 0.0, a similar malicious code appears in its __init__.py scripts, as shown below.
Figure 4: __init__.py from version 1.0
Figure 5: __init__.py from version 0.0
As shown in the VirusTotal entry below, several vendors flag this binary exe as malicious (SHA 256):
52e6efbbfb1fdeb976e2464c542bc17747d213d67f28dff4d7df0879df23fd7e
Figure 6: Vendors that detect the binary executable test.exe
Examining the Package
Let’s jump right into the binary exe and run it. It creates a subprocess called ‘stub.exe.’
Figure 7: test.exe process running
It drops a series of files to the folder ‘%USER%\AppData\Local\Temp\onefile_%PID_%TIME%’, as shown below.
Figure 8: Dropped files
This dropped executable ‘stub.exe’ is flagged as malicious by only a handful of vendors (SHA 256):
8124cec491e0249bc4a9f3f9d3755201b0e8c28068ce8c4b528217dbb94afd13
Figure 9: Vendors that detect stub.exe
After we run test.exe, we see that it copies itself to ‘%USER%\AppData\Local\WindowsControl’ as ‘Control.exe’ and drops a ‘run.bat’ batch file.
Figure 10: Created files
The run.bat script shows the path to the file ‘Control.exe,’ which may be used to run it at startup.
Figure 11: run.bat
Conclusion
This is the second malicious zero-day Python Package Index (PyPI) supply chain attack we have discovered in less than a week. This technique is often used because malware authors can store an entire binary executable inside a simple python script. This can have drastic effects, potentially damaging your system and exposing users to vulnerabilities. Individuals and organizations need to be wary of installing python packages in the wild as they may include malware.
Fortinet Protections
FortiGuard AntiVirus detects the malicious executables identified in this report as
test.exe: W32/PossibleThreat
stub.exe: W32/Agent.AHP!tr
The FortiGuard AntiVirus service is supported by FortiGate, FortiMail, FortiClient, and FortiEDR. Customers running current AntiVirus updates are protected.
The FortiGuard Web Filtering Service detects the download URLs cited in this report as Malicious and blocks them.
IOCs
test.exe
52e6efbbfb1fdeb976e2464c542bc17747d213d67f28dff4d7df0879df23fd7e
stub.exe
8124cec491e0249bc4a9f3f9d3755201b0e8c28068ce8c4b528217dbb94afd13
FortiGuard Labs responsibly disclosed the malicious aioconsol package to Python and it has been removed.
