Supply Chain Attack via New Malicious Python Package, “shaderz” (Part 2)

In this second part of our Shaderz zero-day analysis, we look closely at its downloaded executables. Refer to Part One of this blog for more background.

To start, we found that this is a multi-stage attack:

1.     Stage one – Connect to a suspicious URL to download the executable ‘stub.exe’ using setup.py found in the package

2.     Stage two – ‘stub.exe’ downloads another executable called ‘main.exe’ 

3.     Stage three – executing ‘main.exe’

Downloaded stub.exe executable

As we look deeper into the first executable, ‘stub.exe’, we find that it is a 64-bit PyInstaller compiled executable (Python version 3.11).

We observed key behaviors from the disassembled Python byte code of ‘stub.exe’ shown below.

The ‘main.exe’ executable downloaded from URL hxxps://cdn[.]discordapp[.]com/attachments/1045000289708687390/1045158219024171169/main[.]exe is saved to ‘%USER%\AppData\Roaming\Microsoft\Windows\Themes\screen.scr’.

It then runs the executable:

We can also see it sets autorun for this downloaded executable at startup.

Downloaded main.exe executable

The second downloaded executable is where the more malicious behavior happens.

Similar to Part One of this blog, the download URL https://cdn[.]discordapp[.]com/attachments/1045000289708687390/1045158219024171169/main[.]exe includes the following binary exe (SHA 256):

d1f0583169acde756793d7d5d69afbb72331c931a88749eab14f28ecda3ef5ce

As with the previous executable, this download URL has not previously been detected by any other threat researchers.

However, some vendors flag this downloaded executable file as malicious, as shown below.

This executable is also a 64-bit PyInstaller compiled executable (Python version 3.11). As shown below, it uses a powerful Python obfuscator called Hyperion in its Python byte code.

One suspicious behavior conducted by ‘main.exe’ is creating a series of text and DB files in the ‘%USERPROFILE%\AppData\Local\Temp’ folder. It then stealthily records sensitive user data and credentials.

When we look into any of these text files, we see that the malware names itself ‘Subliminal Stealer.’

Let’s take a look at the DB files below. We can safely assume that they are used for saving sensitive data and credentials, such as credit card and log-in information.

Conclusion

Individuals need to be wary of installing python packages in the wild as they may have potential malicious behaviors hidden within. As this blog series demonstrates, malware authors are often able to use what seems like a benign package to prey on victims.

We will continue monitoring new open-source packages and report malicious packages to help prevent users from becoming victims of a supply chain attack.

Fortinet Protections

FortiGuard AntiVirus detects the malicious executable identified in this report as

W64/Agent.7EC7!tr

The FortiGuard AntiVirus service is supported by FortiGate, FortiMail, FortiClient, and FortiEDR. Customers running current AntiVirus updates are protected.

The FortiGuard Web Filtering Service detects it as malicious and blocks the download URL cited in this report.

IOCs

main.exe

            d1f0583169acde756793d7d5d69afbb72331c931a88749eab14f28ecda3ef5ce

Malicious URLs

cdn[.]discordapp[.]com/attachments/1045000289708687390/1045158219024171169/main[.]exe

Learn more about Fortinet’s FortiGuard Labs threat research and global intelligence organization and Fortinet’s FortiGuard AI-powered Security Services portfolio. Sign up to receive our threat research blogs.