Beware of New Malicious PyPI packages That Steals Login Details

Two malicious Python packages, Zebo-0.1.0 and Cometlogger-0.1, were recently detected by Fortinet’s AI-driven OSS malware detection system.

These packages, spotted on November 16 and November 24, 2024, respectively, represent significant threats to users by leveraging advanced malware techniques.

These findings underscore the critical importance of robust cybersecurity measures to protect against such sophisticated threats.

Malicious Behaviors of Zebo-0.1.0

The Zebo-0.1.0 package exhibits a range of malicious activities designed to surveil users, exfiltrate sensitive data, and maintain unauthorized system control.

Key malicious functionalities of Zebo-0.1.0 include:

• Keylogging and Screen Capturing: The malware tracks every keystroke using the pynput library and captures screenshots at regular intervals via ImageGrab.
• Data Exfiltration: Sensitive user data, such as keystrokes and screenshots, is uploaded to a remote Firebase database using obfuscated HTTP requests.
• Persistence Mechanism: The package ensures prolonged presence in the user’s system by creating auto-executing Python scripts and batch files that initiate upon system startup.

The use of obfuscation techniques, including the encoding of malicious URLs, complicates detection efforts and highlights the sophisticated nature of this malware.

2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide

Threats Posed by Cometlogger-0.1

Cometlogger-0.1, another identified malicious package, goes a step further in sophistication.

It is capable of dynamically modifying files, stealing sensitive information, and bypassing security environments.

Noteworthy features include:

• Webhook Injection and Information Theft: By injecting webhooks into multiple files, the malware facilitates the exfiltration of usernames, passwords, cookies, and cryptocurrency wallet data. Targeted platforms include Discord, Instagram, and various browsers.
• Anti-VM Checks: The malware employs anti-virtualization techniques to avoid detection within sandbox environments used by researchers and security tools.
• Dynamic File Modifications: The package manipulates Python files during runtime, enabling the execution of malicious commands and maintaining its stealthy presence.

A particularly alarming aspect of Cometlogger-0.1 is its ability to extract encrypted credentials and card data from browser storage, significantly escalating the risk of financial fraud and identity theft.

To mitigate the risk posed by these malicious packages, users and organizations are advised to follow these cybersecurity best practices:

1. Disconnect and Scan: Immediately disconnect affected systems from the internet and perform a thorough malware scan using reputable antivirus software.
2. Code Scrutiny: Avoid installing unverified Python packages and review the code of third-party scripts before execution.
3. Network Monitoring: Implement intrusion detection systems to identify and block suspicious network activities.
4. Awareness Training: Educate users on recognizing phishing schemes and avoiding unsafe downloads.

Fortinet customers remain protected against these threats through updated AntiVirus services, including FortiGate and FortiClient tools, which have been calibrated to detect and prevent these specific malware packages.

The discovery of Zebo-0.1.0 and Cometlogger-0.1 highlights increasing risks posed by open-source dependencies.

These malicious packages effectively demonstrate how attackers can use sophisticated techniques to bypass detection, exfiltrate data, and target both individuals and organizations.

Heightened vigilance, combined with advanced cybersecurity tools, remains critical in combating such threats.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free