Analyzing Malicious Intent in Python Code: A Case Study

Recent findings by Fortinet’s AI-driven malware detection system have uncovered two malicious Python packages, Zebo-0.1.0 and Cometlogger-0.1, that pose significant risks to user privacy and security. These packages employ sophisticated techniques for data exfiltration and unauthorized control, highlighting the critical need for vigilance in cybersecurity. #MalwareAlert #Cybersecurity #DataProtection

Keypoints :

  • Fortinet identified two malicious PyPI packages: Zebo-0.1.0 and Cometlogger-0.1.
  • Both packages exhibit high severity levels, impacting user privacy and security.
  • Zebo-0.1.0 utilizes keylogging, screen capturing, and data exfiltration techniques.
  • Cometlogger-0.1 is known for webhook manipulation and information theft across various platforms.
  • Obfuscation techniques are employed to hide malicious intents in both packages.

MITRE Techniques :

  • TA0001 – Initial Access: The malware gains access through malicious packages.
  • TA0002 – Execution: The scripts execute automatically upon installation.
  • TA0003 – Persistence: The malware ensures it runs at system startup.
  • TA0006 – Credential Access: Keylogging functionality captures user credentials.
  • TA0010 – Exfiltration: Data is uploaded to remote servers without user consent.

Indicator of Compromise :

  • [file name] Zebo_0.1.0
  • [file hash] 4aeb0211bd6d9e7c74c09ac67812465f2a8e90e25fe04b265b7f289deea5db21
  • [file name] cometlogger_0.1
  • [file hash] 839d0cfcc52a130add70239b943d8c82c4234b064d6f996eeaae142f05cc9e85
  • Check the article for all found IoCs.

Affected platforms: All platforms where PyPI packages can be installed
Impacted parties: Any individuals or institutions that have these malicious packages installed
Impact: Leak of credentials, sensitive information, etc.
Severity level: High

Fortinet’s AI-driven OSS malware detection system recently identified two malicious packages: Zebo-0.1.0 on November 16, 2024, and Cometlogger-0.1 on November 24, 2024. Malicious software often masquerades as legitimate code, hiding its harmful features behind complex logic and obfuscation. In this analysis, we examine the Python scripts behind these two packages, outline their malicious behaviors, and provide insights into their potential impact.

The Zebo-0.1.0 script is a typical example of malware, with functions designed for surveillance, data exfiltration, and unauthorized control. It uses libraries like pynput and ImageGrab, along with obfuscation techniques, indicating clear malicious intent.

The Cometlogger-0.1 script also shows signs of malicious behavior, including dynamic file manipulation, webhook injection, stealing information, and anti-VM checks.

1. Overview of the Code for Zebo-0.1.0

Zebo-0.1.0 is structured to perform various tasks that violate user privacy and security. Its main components include:

Obfuscation: bypass detection mechanisms
Keylogging: Capturing every keystroke typed by the user.
Screen Capturing: Periodic screenshots of the user’s desktop.
Data Exfiltration: Uploading sensitive information (keystrokes, screenshots, etc.) to a remote server.
Persistence Mechanism: Ensuring the malware re-executes upon system startup.

Obfuscation

Using obfuscation intentionally hides the true functionality, making it harder for users or security systems to understand what the code is doing. In this example, if the script or its components are obfuscated, it could hide malicious behavior, such as unauthorized data collection or system manipulation. Obfuscation can also be used to bypass security measures, potentially allowing malware to run undetected, which poses serious risks to both the user’s privacy and system integrity.

The code uses hex-encoded strings (e.g., x68x74x74…) to hide the URL of the server it communicates with. It employs a command and control mechanism via HTTP requests to a remote server, which is used to manage the malware’s behavior and collect stolen data.This obfuscation is a clear sign of malicious intent, as it seeks to bypass detection mechanisms during code review or automated scans.

Figure 1: Decoded, this resolves to a Firebase database URL (https://project-runner-default-rtdb.firebaseio.com/), used for data exfiltration.


Figure 1: Decoded, this resolves to a Firebase database URL (https://project-runner-default-rtdb.firebaseio.com/), used for data exfiltration.

  Figure 2: interacts with a remote URL constructed from the variable fu (which contains a base URL) and the command_path (which refers to a specific path on the server). These requests appear to check for commands (command_data) and upload logs or screenshots to the server.


Figure 2: interacts with a remote URL constructed from the variable fu (which contains a base URL) and the command_path (which refers to a specific path on the server). These requests appear to check for commands (command_data) and upload logs or screenshots to the server.

Keylogging

The use of the pynput library enables the script to log every keystroke made by the user. This feature is implemented through the following functions:

Figure 3: Data Storage: Keystrokes are stored in files/system-files.txt, a local log file, before being uploaded to the remote server.


Figure 3: Data Storage: Keystrokes are stored in files/system-files.txt, a local log file, before being uploaded to the remote server.

Screen Capturing

Screen capturing can secretly record the user’s screen, potentially violating their privacy and leading to unauthorized access to sensitive information. In the provided code, the post-installation script could be used to implement such functionality, allowing an attacker to monitor the user’s activities without their consent. This is considered malicious behavior, as it can be used to steal personal information or perform other harmful actions, and it can lead to significant security risks, including data breaches and legal consequences.

Figure 4: Screenshots are saved locally in the folder C:system-logssystemss. These are uploaded to https://api.imgbb.com/1/upload using an API key fetched from the remote server.


Figure 4: Screenshots are saved locally in the folder C:system-logssystemss. These are uploaded to https://api.imgbb.com/1/upload using an API key fetched from the remote server.

Data Exfiltration

Using data exfiltration in this code is dangerous because it involves secretly collecting and transferring sensitive data from the user’s system without their knowledge or consent. The post-installation script (i_am_cute()) can be used for unauthorized data access, potentially sending private information to a remote server. This could violate privacy, compromise security, and result in legal consequences for the software developer or distributor if the behavior is discovered, as it may be seen as a form of hacking or data theft.

Logs and screenshots are sent to a Firebase database, exposing the user’s sensitive data to unauthorized parties. This is executed through HTTP PUT requests:

Figure 5: If successful, the script clears the local log files to avoid detection


Figure 5: If successful, the script clears the local log files to avoid detection.

Persistence Mechanism

  1. Security Concerns: The post-installation script is executed automatically, which can be exploited by attackers to run malicious code without the user’s consent. If the script is compromised, it could install malware or steal sensitive data.
  2. Unauthorized Modifications: Embedding a persistence mechanism in the installation process makes it difficult for users to track and control what happens after installation. This could lead to unwanted changes in the system or software behavior.
  3. Hard-to-Detect Malicious Behavior: Since the script is executed silently after installation, users may not be aware of what is running on their system. This lack of transparency increases the risk of hidden backdoors, which are difficult to detect and mitigate.

To ensure it runs every time the system starts, the malware:

Figure 6: Creates a Python script (system-log.pyw) in C:system-logs. Generates a batch file (start.bat) in the Windows Startup folder to launch the script.


Figure 6: Creates a Python script (system-log.pyw) in C:system-logs. Generates a batch file (start.bat) in the Windows Startup folder to launch the script.

2. Overview of the Code for Cometlogger-0.1

The code provided raises several red flags indicative of potential malicious activity.

Webhook Manipulation: The code dynamically requests a “webhook” from the user and embeds it into Python files like `Comet.py` and `Exela.py.’
Information Theft: Steals tokens, passwords, and accounts from various platforms (Discord, Steam, Instagram, Twitter, etc.)
Anti-VM Detection: Virtualization environments to evade analysis or sandboxing.
Dynamic File Modification: The scripts modify Python files at runtime, a method that can enable malicious code injection for exploitation during execution.
Persistence: Maintain long-term presence on the victim’s system.

Webhook Injection

Security Risks: Injecting a webhook URL directly into the code allows for potential manipulation by unauthorized users, opening the door to malicious attacks. If attackers alter the webhook URL, it could redirect sensitive data to malicious servers, compromising security.

Data Integrity: Allowing dynamic changes to webhooks during runtime can result in unintentional modifications, leading to incorrect or inconsistent data being sent. This could affect the system’s functionality and lead to miscommunication between services.

Malicious Exploitation: By hardcoding the webhook injection in multiple places, this approach can be exploited to execute malicious code. Since the code can be easily modified and reused, attackers could send harmful payloads through the webhook, potentially damaging systems or stealing data.

The script repeatedly prompts users for a webhook, dynamically injecting it into files

Injected webhooks could:

Send sensitive information to a remote server.

Facilitate command-and-control (C2) operations, allowing an attacker to issue commands remotely.

Figure 7: Enable remote attackers to issue commands and transmit sensitive information to a remote server.


Figure 7: Enable remote attackers to issue commands and transmit sensitive information to a remote server.

Information Theft:

The script from comet.py poses significant risks by violating user privacy through the collection of saved passwords, session cookies, and browsing history, which can be exploited to impersonate users, steal financial data, or compromise accounts. For organizations, this malware threatens unauthorized access to corporate accounts and data breaches, potentially leading to severe legal and financial consequences. Additionally, by targeting cookies from platforms like Instagram, TikTok, and Twitter, it enables account hijacking for spam, scams, or identity theft.

Figure 8: Sensitive Data Categories to Steal from Comet.py


Figure 8: Sensitive Data Categories to Steal from Comet.py

Figure 9: Decryption of Encrypted Credentials, Extract and decrypt encryption key from browser files.


Figure 9: Decryption of Encrypted Credentials, Extract and decrypt encryption key from browser files.

Figure 10: Collect detailed system information using shell commands.


Figure 10: Collect detailed system information using shell commands.

Figure 11: Scans common browser data directories and identifies profile folders. By targeting "Default" and "Profile" folders, it ensures access to primary user data.


Figure 11: Scans common browser data directories and identifies profile folders. By targeting “Default” and “Profile” folders, it ensures access to primary user data.

Figure 12: Malware aiming to ensure unrestricted file access, disrupting user activity and bypassing file locks.


Figure 12: Malware aiming to ensure unrestricted file access, disrupting user activity and bypassing file locks.

Figure 13: Extract cookies related to major platforms (Instagram, TikTok, Spotify) from Firefox's SQLite database.


Figure 13: Extract cookies related to major platforms (Instagram, TikTok, Spotify) from Firefox’s SQLite database.

Figure 14: Access browsing history for surveillance or profiling. Combined with cookies, this data could be used for identity theft, phishing, or behavioral analysis.


Figure 14: Access browsing history for surveillance or profiling. Combined with cookies, this data could be used for identity theft, phishing, or behavioral analysis.

Figure 15: By asynchronously executing tasks, the script maximizes efficiency, stealing large amounts of data in a short time.


Figure 15: By asynchronously executing tasks, the script maximizes efficiency, stealing large amounts of data in a short time.

Figure 16: The stolen data is appended to a list for potential exploitation, indicating a clear breach of user confidentiality.


Figure 16: The stolen data is appended to a list for potential exploitation, indicating a clear breach of user confidentiality.

Figure 17: By decrypting the Web Data file, the malware extracts card numbers, expiration dates, and cardholder names.


Figure 17: By decrypting the Web Data file, the malware extracts card numbers, expiration dates, and cardholder names.

Figure 18: The GetWallets function targets cryptocurrency wallet extensions and local storage to extract wallet files, enabling attackers to control digital assets.


Figure 18: The GetWallets function targets cryptocurrency wallet extensions and local storage to extract wallet files, enabling attackers to control digital assets.

Anti-VM Detection & Fake Error Message

Attackers often use anti-VM techniques to identify if their code is running in a sandbox or virtual machine, commonly used by researchers or security tools.The code checks for common virtualization indicators such as “VMware” and “VirtualBox”.If such indicators are found, the code terminates execution to avoid detection.This allows attackers to bypass security monitoring in controlled environments.

The Fake Error Message can trick users into running the malware code.

Figure 19: Prevents the malware from running in virtual environments.


Figure 19: Prevents the malware from running in virtual environments.

Figure 20: Fake error messages to trick the user into running the malware.


Figure 20: Fake error messages to trick the user into running the malware.

Dynamic File Modification

Security Concerns: The code modifies files based on user inputs, potentially altering sensitive data like webhooks. This opens the door for malicious exploitation if an attacker provides malicious input or manipulates the file content.

Data Integrity Risks: The use of replace operations without validation can lead to unintentional changes or corruption of files, especially if the files are being used by other processes or applications concurrently.

Malware Risks: The integration with UPX, which compresses executables, raises concerns regarding the execution of malicious code. The UPX tool is commonly used to obfuscate malware, making it harder for security tools to detect it.

The code modifies external files (Comet.py and Exela.py) without verifying their content or purpose:

Figure 21: Such unsupervised alterations can compromise the integrity of legitimate files, enabling unauthorized actions or backdoors.


Figure 21: Such unsupervised alterations can compromise the integrity of legitimate files, enabling unauthorized actions or backdoors.

Use of UPX (Ultimate Packer for Executables)

Security Risks: UPX can obfuscate the code, making it harder for security tools to analyze the executable. This could lead to undetected malicious behavior if used in malicious software.

Compatibility Issues: UPX compression might cause problems with certain antivirus software or system configurations, as some security tools may flag compressed executables as suspicious, leading to false positives.

Performance Impact: While UPX reduces file size, the decompression at runtime could introduce delays, affecting the performance of the application, especially if it’s used excessively in critical areas of the code.

The frequent invocation of utils/upx.exe using subprocess.call is highly suspicious:

Figure 22: If upx.exe is tampered with, it could pack malware into executables, hiding them from antivirus software.


Figure 22: If upx.exe is tampered with, it could pack malware into executables, hiding them from antivirus software.

Persistence

Continuous exception loops can lead to several problems, such as consuming excessive CPU resources, causing system freezes, and degrading performance. They may also obscure the root cause of the issue, making debugging more difficult. If exceptions are raised without proper handling, the program becomes unresponsive and harder to maintain.

The script employs an infinite loop to persist in the user’s environment:

Figure 23: Prevent the user from terminating the script easily. Obscure malicious activities running in the background.


Figure 23: Prevent the user from terminating the script easily. Obscure malicious activities running in the background.

Figure 24: Deploy additional malicious components to exploit vulnerabilities.


Figure 24: Deploy additional malicious components to exploit vulnerabilities.

Recommendations

Disconnect from the Internet: Immediately isolate the infected system to prevent further data exfiltration.

Run Antivirus Tools: Use reputable antivirus software to detect and remove the malware.

Reformat the System: If the infection persists, reformat the system and reinstall the OS.

For Prevention

Code Review: Always verify third-party scripts and executables before running them.

Network Monitoring: Implement firewalls and intrusion detection systems to identify suspicious network activity.

Education: Train users to recognize phishing attempts and avoid executing unverified scripts.

Conclusion

This malicious Python script (Zebo-0.1.0) is a textbook example of malware, exhibiting functionalities designed for surveillance, data exfiltration, and unauthorized control. Its sophisticated use of libraries like pynput and ImageGrab, coupled with obfuscation techniques, demonstrates a clear intent to harm or exploit users. Such scripts highlight the importance of cybersecurity awareness and robust defensive measures.

The script (Cometlogger-0.1) exhibits several hallmarks of malicious intent, including dynamic file manipulation, webhook injection, steal information, ANTI-VM. While some features could be part of a legitimate tool, the lack of transparency and suspicious functionality make it unsafe to execute. Always scrutinize code before running it and avoid interacting with scripts from unverified sources.

Fortinet Protections

FortiGuard AntiVirus detects the malicious files identified in this report as

zebo_0.1.0: Python/Agent.BZ!tr
runner.py:Python/Agent.BZ!tr
Cometlogger_0.1: Python/Agent.APQ!tr
comet.py: Python/Agent.APQ!tr

The FortiGuard AntiVirus service is supported by FortiGate, FortiMail, FortiClient, and FortiEDR. Customers running current AntiVirus updates are protected.

TheFortiGuard Web Filtering Service detects and blocks the download URLs cited in this report as Malicious.

The FortiDevSec SCA scanner detects malicious packages, including those cited in this report that may operate as dependencies in users’ projects in test phases, and prevents those dependencies from being introduced into users’ products.

If you believe these or any other cybersecurity threat has impacted your organization, please contact ourGlobal FortiGuard Incident Response Team.

IOCs

Package/file name

Sha256

Detection

Zebo_0.1.0

4aeb0211bd6d9e7c74c09ac67812465f2a8e90e25fe04b265b7f289deea5db21

Python/Agent.BZ!tr

zebo_0.1.0/runner.py

4aeb0211bd6d9e7c74c09ac67812465f2a8e90e25fe04b265b7f289deea5db21

Python/Agent.BZ!tr

cometlogger_0.1

839d0cfcc52a130add70239b943d8c82c4234b064d6f996eeaae142f05cc9e85

Python/Agent.APQ!tr

cometlogger_0.1/comet.py

e01c61dc52514b011c83c293cf19092c40cb606a28a87675b4f896be5afebed2

Python/Agent.APQ!tr


Full Research: https://feeds.fortinet.com/~/909871439/0/fortinet/blog/threat-research~Analyzing-Malicious-Intent-in-Python-Code-A-Case-Study