FortiGuard Labs Threat Research
The FortiGuard Labs team has discovered another new 0-day attack in a PyPI package (Python Package Index) called “web3-essential”. It was discovered on January 30, 2023, by monitoring an open-source ecosystem. The package was published on January 26, 2023, the same day as its author, ‘Trexon’, joined the repository. Given the frequency of this pattern of simultaneously joining and publishing, it may be a wise idea to take precautions for downloading packages published by newly joined authors.
The author included a brief description of the project along with a unique version number of ‘1.0.4b0’ as if to try and avoid suspicion.
The package includes malicious code in its setup.py installation script that downloads and runs an executable file as a part of its installation.
The interesting element is the URL, which requires deeper analysis:
As shown in the VirusTotal entry below, the download URL includes the following binary exe (SHA 256):
While this download URL is only detected by one vendor, a few vendors do flag the downloaded executable file as malicious.
The downloaded executable seems to be a Go-compiled executable file. Let’s try running it.
One suspicious behavior conducted by ‘ily.exe’ is that it creates DB files in the ‘%USER%\AppData\Local\cloudflare-warp-cache\raw\’ folder. This may be used for recording sensitive user data and credentials.
Let’s take a look at the DB files below. We can safely assume they will be used for saving sensitive data and credentials, such as credit card and log-in information.
When we take a look inside the binary using IDA, we see many strings that raise suspicions. We can also get some clues about the malware behavior by observing these. Some keywords of interest include, ‘virus’, ‘wallets’, ‘browsers’, ‘login’, and ‘passwords’.
Below we can also see some strings with ‘.zip’ for several browser names which could be indication of saving the sensitive information as a zip file.
The examples in the code shown below are of the browsers that the malware takes an interest in.
We also found an interesting URL embedded in the code:
It uses a Go package, ‘dishooks’, which is a Discord webhook API wrapper. Within the URL, we see that it may be related to a “Spidey Bot” malware which is known to steal personal information through Discord.
In this blog, we saw a new author upload a malicious package on the same day as they joined. This package included a very simple python script that leads to downloading a malicious binary executable designed to steal sensitive information like credit cards and logins.
In our previous blogs looking at malicious PyPI packages, we have observed that malware authors commonly behave in this way. We have also learned that these malicious executable are also frequently compiled using a variety of compilers, such as Go-compiler or PyInstaller, etc.
Python Package Index administrators have confirmed that after notification by FortiGuard Labs, this package has been taken down.
FortiGuard AntiVirus detects the malicious executables identified in this report as
The FortiGuard AntiVirus service is supported by FortiGate, FortiMail, FortiClient, and FortiEDR. Customers running current AntiVirus updates are protected.
The FortiGuard Web Filtering Service detects the download URLs cited in this report as Malicious and blocks them.
If you think you’ve been impacted by this or any other cybersecurity threat, reach out to our Global FortiGuard Incident Response Team.
Learn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard AI-powered security services portfolio.