Affected platforms: All platforms where PyPI packages can be installed
Impacted parties: Any individuals or institutions that have these malicious packages installed
Impact: Leak of credentials, sensitive information, etc.
Severity level: High
Vigilance is paramount in cybersecurity, especially when it comes to understanding and dissecting potentially malicious code. In this blog post, we’ll delve into a piece of code designed (discordpy_bypass-1.7 ) to extract sensitive data from user systems. We’ll analyze its components, functions, and methodologies to understand its purpose and approach.
Introduction
FortiGuard Labs uses a proprietary, AI-driven OSS malware detection system to hunt for and monitor threats. Using this approach on the Python Package Index (PyPI) supply chain platform, we unearthed a malicious PyPI package named discordpy_bypass-1.7, published on March 10, 2024, and detected on March 12, 2024.
This code aims to covertly extract sensitive information from unsuspecting victims using a blend of persistence techniques, browser data extraction, and token harvesting. Understanding the origins and propagation methods of malicious code is paramount in its analysis. Authored by theaos, the author produced seven versions of the package, including versions 1.1, 1.2, 1.3, 1.4, 1.5, 1.6, and 1.7. The upgrade-colored_0.0.1 also exhibits similar malicious content as discordpy_bypass, indicating a consistent behavior pattern across versions.
Figure 1: discordpy_bypass-1.7
“discordpy_bypass-1.7” highlights the sort of ongoing threats seen across the cybersecurity landscape. This PyPI package version exhibits similar malicious behavior to previous malicious packages, focusing on extracting sensitive data from user systems through obfuscated code and evasion techniques targeting analysis environments. The code employs various checks to detect debugging or analysis environments and terminates itself if detected, showcasing the author’s effort to evade scrutiny.
The code has three layers. The original Python code is encoded using base64 (the innermost layer). The encoded strings are then broken into separate pieces and encoded once again with some obfuscation techniques (intermediate layer). The obfuscated file is then compiled using pyinstaller into an exe (the last layer) put on a remote URL. The code in discordpy_bypass/discordpy_bypass.py fetches the code from the URL and runs it on the user’s device. This underscores the critical need for vigilance and proactive measures to effectively detect and mitigate cybersecurity threats.
Detecting Debugging or Analysis Environment
One of the first lines of defense code developers use against reverse engineering is detecting debugging or analysis environments. The code segment employs multiple techniques, listed below, to identify such environments and terminate the program’s “self-destruct” if detected.
Figure 2: The program exits in self_destruct
Block listed Processes: These iterate over the running processes and terminates them if their names match those in the blocked process list (“blacklistedProcesses”). These processes include debugging tools like Wireshark, OllyDbg, and IDA64
Figure 3: Blocked processes
Network-related Checks: Compares system IP and MAC addresses against block lists (“blackListedIPS”, “blackListedMacs”). If the IP or MAC address is found in a block list, it returns “True,” indicating a debugging environment.
Figure 4: Block listed IPs and MACs
System-related Checks: Compares system username, hostname, and hardware ID against block lists. (“blackListedUsers,” “blackListedPCNames,” and “blackListedHWIDS”)
Figure 5: blackListedUsers, blackListedPCNames, and “blackListedHWIDS
System Initialization and Socket.IO Events
The code initializes a number of variables and sets up Socket.IO events to handle connections, disconnections, frame adjustments, and more. It enables remote control and monitoring of a system, facilitating actions such as directory navigation, file operations, and command execution.
Figure 6: Socket.IO
Command Handling Functions
Several functions handle commands received over Socket.IO, executing various actions based on the command received. These actions include listing directory contents, sending files to the server, displaying alerts, listing processes, terminating processes, gathering system information, and more.
Figure 7: Socket actions
Malicious Intent
Browser Data Extraction and Token Harvesting: The code’s core functionality revolves around extracting sensitive information from browsers and harvesting authentication tokens, particularly from Discord.
Browser Data Extraction: It utilizes techniques to extract data such as login credentials, cookies, web history, and more from various browsers.
Token Harvesting: This process also decrypts and validates authentication tokens extracted from files, particularly Discord tokens, before uploading them to a remote server.
Figure 8: Actions the hacker can take
Figure 9: The “upload” class collects data from various sources, including browser data such as login credentials, cookies, web history, and credit card information
Figure 10: After collecting the data, the “upload” class compresses it into a ZIP file. This Is often seen in malware to bundle stolen data or payloads for exfiltration
Figure 11: The ‘send’ method attempts to send the compressed ZIP file to a server
Conclusion
Our investigation into the “discordpy_bypass-1.7” code has uncovered a clever and sneaky cyber threat to secretly steal important information from people’s computers. What makes this code especially dangerous is how it tries to trick computer systems and experts who attempt to analyze it. It’s like a master of disguise that can escape from being caught.
This discovery reminds us that the internet isn’t always a safe place. We need to stay alert to protect ourselves from such threats. Understanding them helps us build stronger defenses and stay safe in our digital world. By working together and staying cautious, we can keep our personal information and digital lives secure.
Fortinet Protections
FortiGuard AntiVirus detects the malicious files identified in this report as
upgrade-colored-0.0.1/colored/call.py: Python/Agent.COL!tr
upgrade-colored-0.0.1/colored_payload: Python/Agent.0337!tr
discordpy_bypass-1.0/discordpy_bypass/discordpy_bypass.py: Python/Disco.BYP!tr.dldr
discordpy_bypass-1.1/discordpy_bypass/discordpy_bypass.py: Python/Disco.BYP!tr.dldr
discordpy_bypass-1.2/discordpy_bypass/discordpy_bypass.py: Python/Disco.BYP!tr.dldr
discordpy_bypass-1.3/discordpy_bypass/discordpy_bypass.py: Python/Disco.BYP!tr.dldr
discordpy_bypass-1.4/discordpy_bypass/discordpy_bypass.py: Python/Disco.BYP!tr.dldr
discordpy_bypass-1.5/discordpy_bypass/discordpy_bypass.py: Python/Disco.BYP!tr.dldr
discordpy_bypass-1.6/discordpy_bypass/discordpy_bypass.py: Python/Disco.BYP!tr.dldr
discordpy_bypass-1.7/discordpy_bypass/discordpy_bypass.py: Python/Disco.BYP!tr.dldr
discordpy_bypass-1.7/discordpy_bypass/discordpy_bypass_payload.exe: Python/Agent.514A!tr
discordpy_bypass-1.7/discordpy_bypass/discordpy_bypass_python.py: Python/Agent.C77E!tr
discordpy_bypass-1.6/discordpy_bypass/discordpy_bypass_payload.py: Python/Agent.7684!tr
The FortiGuard AntiVirus service is supported by FortiGate, FortiMail, FortiClient, and FortiEDR. Customers running current AntiVirus updates are protected.
The FortiGuard Web Filtering Service detects and blocks the download URLs cited in this report as Malicious.
The FortiDevSec SCA scanner detects malicious packages, including those cited in this report that may operate as dependencies in users’ projects in test phases, and prevents those dependencies from being introduced into users’ products.
If you believe these or any other cybersecurity threat has impacted your organization, please contact our Global FortiGuard Incident Response Team.
IOCs
| File | Hash (sha256) | Detection |
| upgrade-colored-0.0.1/colored/call.py | ba2ceb9b1c6942617e4aaf76f12674acec0f072fde85249ebb7f0255b0681d8a | Python/Agent.COL!tr |
| upgrade-colored-0.0.1/colored_payload | 21ce98a759d413a94487d76b4a37574787bba4695bde5444909f85c40b6a96dd | Python/Agent.0337!tr |
| discordpy_bypass-1.0/discordpy_bypass/discordpy_bypass.py | 3428cfe2de2d415fbdb74b6d099af2061b8af2b21c432ed28b95f360090c80a2 | Python/Disco.BYP!tr.dldr |
| discordpy_bypass-1.1/discordpy_bypass/discordpy_bypass.py | 3818b238229a40c64dd1cf07d064d5f6580d1887113691cdae23b55364ce572e | Python/Disco.BYP!tr.dldr |
| discordpy_bypass-1.2/discordpy_bypass/discordpy_bypass.py | 49e74d6ee9ff330db385ac50c398b31ff96bdc88631a3ba4231c9cb11b91f91b | Python/Disco.BYP!tr.dldr |
| discordpy_bypass-1.3/discordpy_bypass/discordpy_bypass.py | 6259496c7bf20f7b1cca959cd2807538f7e1f735a5bdef487de31c6f7c535645 | Python/Disco.BYP!tr.dldr |
| discordpy_bypass-1.4/discordpy_bypass/discordpy_bypass.py | 66776b62992ab3a9801293852113e882822bb12cba4d8e89104aa60fbf83ee6d | Python/Disco.BYP!tr.dldr |
| discordpy_bypass-1.5/discordpy_bypass/discordpy_bypass.py | 164f75859cbfe3d1dd78304de69d6d969df7f681a93b95162c98644425a9c4d2 | Python/Disco.BYP!tr.dldr |
| discordpy_bypass-1.6/discordpy_bypass/discordpy_bypass.py | 1ebdd85a61edb7dde0e2ab59eb58325afd271cff3d364be95c142ed6fa312fae | Python/Disco.BYP!tr.dldr |
| discordpy_bypass-1.7/discordpy_bypass/discordpy_bypass.py | 31c1c3530655fb6da70368fd6c462893ff1b85feda7e5ecbdd9c5ec600e4edb1 | Python/Disco.BYP!tr.dldr |
| discordpy_bypass-1.7/discordpy_bypass/discordpy_bypass_payload.exe | 8fd185a5499d728eef4cd181477b0720a60c8be143ff2628941bb2a5985b1f73 | Python/Agent.514A!tr |
| discordpy_bypass-1.7/discordpy_bypass/discordpy_bypass_python.py | d937aaf9f8a35687a5397aa9a657094c53553afba15953bc8c75fc9955a82b4c | Python/Agent.C77E!tr |
| discordpy_bypass-1.6/discordpy_bypass/discordpy_bypass_payload.py | e6ccaa47337109d0bec65c573c9d6956e30c893e6bee5fc3bd6ab19f26ba558d | Python/Agent.7684!tr |
Source: Original Post