Threat Research

Supply Chain Attack via New Malicious Python Package, “shaderz” (Part 2)

By Jin Lee | December 14, 2022

In this second part of our Shaderz zero-day analysis, we look closely at its downloaded executables. Refer to Part One of this blog for more background.

To start, we found that this is a multi-stage attack:

1.     Stage one – Connect to a suspicious URL to download the executable ‘stub.exe’ using setup.py found in the package

2.     Stage two – ‘stub.exe’ downloads another executable called ‘main.exe’ 

3.     Stage three – executing ‘main.exe’

Downloaded stub.exe executable

As we look deeper into the first executable, ‘stub.exe’, we find that it is a 64-bit PyInstaller compiled executable (Python version 3.11).

We observed key behaviors from the disassembled Python byte code of ‘stub.exe’ shown below.

Figure 1: Snippet of disassembled Python byte code for stub.exe

The ‘main.exe’ executable downloaded from URL hxxps://cdn[.]discordapp[.]com/attachments/1045000289708687390/1045158219024171169/main[.]exe is saved to ‘%USER%\AppData\Roaming\Microsoft\Windows\Themes\screen.scr’.

Figure 2: Downloaded executable ‘main.exe’ saved to screen.scr

It then runs the executable:

Figure 3: screen.scr process running

We can also see it sets autorun for this downloaded executable at startup.

Figure 4: Autorun set at startup for the downloaded executable

Downloaded main.exe executable

The second downloaded executable is where the more malicious behavior happens.

Similar to Part One of this blog, the download URL https://cdn[.]discordapp[.]com/attachments/1045000289708687390/1045158219024171169/main[.]exe includes the following binary exe (SHA 256):

d1f0583169acde756793d7d5d69afbb72331c931a88749eab14f28ecda3ef5ce

As with the previous executable, this download URL has not previously been detected by any other threat researchers.

 

Figure 5: This URL has not been detected by VirusTotal

However, some vendors flag this downloaded executable file as malicious, as shown below.

Figure 6: Vendors that detect the downloaded executable

This executable is also a 64-bit PyInstaller compiled executable (Python version 3.11). As shown below, it uses a powerful Python obfuscator called Hyperion in its Python byte code.

Figure 7: Snippet of disassembled Python byte code for main.exe

Figure 8: Python obfuscator Hyperion

 

One suspicious behavior conducted by ‘main.exe’ is creating a series of text and DB files in the ‘%USERPROFILE%\AppData\Local\Temp’ folder. It then stealthily records sensitive user data and credentials.

Figure 9: Text files that may save sensitive data
Figure 10: DB files that may save sensitive data

When we look into any of these text files, we see that the malware names itself ‘Subliminal Stealer.’

Figure 11: History.txt

 

Let’s take a look at the DB files below. We can safely assume that they are used for saving sensitive data and credentials, such as credit card and log-in information.

Figure 12: sublimCreditCards.db

Figure 13: sublimHistory.db

Figure 14: sublimPasswords.db

Conclusion

Individuals need to be wary of installing python packages in the wild as they may have potential malicious behaviors hidden within. As this blog series demonstrates, malware authors are often able to use what seems like a benign package to prey on victims.

We will continue monitoring new open-source packages and report malicious packages to help prevent users from becoming victims of a supply chain attack.

Fortinet Protections

FortiGuard AntiVirus detects the malicious executable identified in this report as

W64/Agent.7EC7!tr

The FortiGuard AntiVirus service is supported by FortiGate, FortiMail, FortiClient, and FortiEDR. Customers running current AntiVirus updates are protected.

The FortiGuard Web Filtering Service detects it as malicious and blocks the download URL cited in this report.

IOCs

main.exe

            d1f0583169acde756793d7d5d69afbb72331c931a88749eab14f28ecda3ef5ce

Malicious URLs

cdn[.]discordapp[.]com/attachments/1045000289708687390/1045158219024171169/main[.]exe

Learn more about Fortinet’s FortiGuard Labs threat research and global intelligence organization and Fortinet’s FortiGuard AI-powered Security Services portfolio. Sign up to receive our threat research blogs.