Two New Malicious PyPI Packages Attacking Users to Steal Login Details

Uncategorized December 24, 2024

Two malicious Python Package Index (PyPI) packages: Zebo-0.1.0 and Cometlogger-0.1, have been identified, posing a significant threat to user security.

These packages, uploaded in November 2024, exploit unsuspecting developers and users, aiming to steal sensitive data such as login credentials, browsing history, and even financial information.

The packages underline the importance of vigilance when using open-source software repositories.

2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide

Details of Malicious Packages

Zebo-0.1.0 employs advanced obfuscation practices to avoid detection. For instance, it uses hex-encoded strings to hide communication URLs and relies on HTTP requests to interact with a Firebase database for data exfiltration.

These measures bypass many automated defenses, making the malware stealthy yet dangerous.

Data Storage: Keystrokes are stored in files/system-files.txt, a local log file, before being uploaded to the remote server.
Data Storage: Keystrokes are stored in files/system-files.txt, a local log file, before being uploaded to the remote server.

Zebo abuses the pynput library to log every user keystroke, storing them locally in a file before uploading them to a remote server. Additionally, it performs periodic screen captures via the ImageGrab library.

Screenshots, stored at C:\system-logs\systemss, are sent to an external server using an API key fetched from a remote source.

Screenshots are saved locally in the folder C:\system-logs\systemss.
Screenshots are saved locally in the folder C:\system-logs\systemss.

One critical feature of Zebo is its ability to upload sensitive data like credentials, browsing activity, and screenshots to remote repositories. The malware clears local logs post-transfer, reducing the chances of detection, as per a report by Fortinet.

Zebo ensures its continued execution by creating a script (system-log.pyw) and a batch file (start.bat) in the Windows Startup folder. This persistence capability guarantees it runs every time the system restarts, posing long-term risks to users.

This package manipulates files dynamically by embedding webhook URLs. This approach facilitates remote command-and-control (C2) operations, allowing attackers to execute commands or extract data remotely.

Cometlogger-0.1 targets cookies, saved passwords, session data, and credentials from browsers and cryptocurrency wallets. By decrypting browser files, it retrieves card details and user credentials from platforms like Discord, Instagram, and Twitter.

Enable remote attackers to issue commands and transmit sensitive information to a remote server.
Enable remote attackers to issue commands and transmit sensitive information to a remote server.

The malware leverages anti-VM tactics, checking for indicators like “VMware” or “VirtualBox”. If detected, the malware terminates, evading detection by sandboxed environments typically used by researchers.

Cometlogger employs UPX (Ultimate Packer for Executables) to compress its components, hiding malicious code from antivirus detection. This tactic often shields harmful behaviors from analysis tools.

The discovery of Zebo-0.1.0 and Cometlogger-0.1 underscores the growing threats in open-source ecosystems. These malicious packages highlight the need for robust security measures to protect both personal and organizational data.

By following best practices and implementing proactive strategies, users can mitigate risks and contribute to a safer development environment.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

The post Two New Malicious PyPI Packages Attacking Users to Steal Login Details appeared first on Cyber Security News.