Experts Identify Fully-Featured Info Stealer and Trojan in Python Package on PyPI

2023-03-02 11:21

A malicious Python package uploaded to the Python Package Index has been found to contain a fully-featured information stealer and remote access trojan.

The package, named colourfool, was identified by Kroll's Cyber Threat Intelligence team, with the company calling the malware Colour-Blind.

The file contains a Python script that comes with different modules designed to log keystrokes, steal cookies, and even disable security software.

The use of Cloudflare tunnels mirrors another campaign that was disclosed by Phylum last month which made use of six fraudulent packages to deliver a stealer-cum-RAT dubbed poweRAT. The trojan is feature rich and is capable of gathering passwords, terminating applications, taking screenshots, logging keystrokes, opening arbitrary web pages on a browser, executing commands, capturing crypto wallet data, and even snooping on victims via the web camera.

The findings come as threat actors are leveraging the source code associated with W4SP stealer to spawn copycat versions that are distributed via Python packages like ratebypass, imagesolverpy, and 3m-promo-gen-api.

What's more, Phylum discovered three more packages - called pycolured, pycolurate, and colurful - that have been used to deliver a Go-based remote access trojan referred to as Spark.

News URL

https://thehackernews.com/2023/03/experts-identify-fully-featured-info.html

#python #trojan

Related vendor

VENDOR	LAST 12M	#/PRODUCTS	LOW	MEDIUM	HIGH	CRITICAL	TOTAL VULNS
Python		27	10	87	75	27	199
Pypi		14	0	0	14	0	14