Python Malware in Zebo-0.1.0 and Cometlogger-0.1 Found Stealing User Data


KEY SUMMARY POINTs from the article  

  • Malicious Packages Identified: Zebo-0.1.0 and Cometlogger-0.1 are malicious Python packages discovered on PyPI.
  • Sensitive Data Theft: These packages steal user data through keylogging, screenshot capturing, and information exfiltration.
  • Persistence Mechanisms: They establish long-term control by creating startup scripts to re-execute on system reboot.
  • Obfuscation Techniques: Advanced obfuscation methods help the packages evade detection and security systems.
  • Wide Impact: These threats compromise developers and platforms reliant on PyPI, posing major privacy and security risks.

On November 24, 2024, Fortinet FortiGuard Lab’s AI-based detection system identified Python malware in two malicious Python packages, Zebo-0.1.0 and Cometlogger-0.1, targeting unsuspecting users for their data.

These packages can steal sensitive information, capture screenshots, log keystrokes, and establish unauthorized control over infected systems, researchers noted in the blog post shared with Hackread.com.

What is Zebo-0.1.0?

Zebo-0.1.0 exhibits typical malware characteristics, including functions designed for surveillance, data exfiltration, and unauthorized control, and utilizes libraries like pynput and ImageGrab, along with obfuscation techniques, indicating clear malicious intent. 

The script employs obfuscation to hide its true functionality, making it harder for users or security systems to understand its actions. This obfuscation can bypass security measures, allowing the malware to run undetected. 

Zebo-0.1.0 leverages pynput to log every keystroke made by the user and also captures screenshots of the desktop, potentially violating their privacy. Furthermore, the script exfiltrates sensitive information, such as keystrokes and screenshots, to a remote server, compromising user privacy.

To ensure persistence, the malware creates a Python script and a batch file in the Windows Startup folder, ensuring its re-execution upon system startup, making it difficult to remove and increasing the risk of long-term damage.

What is Cometlogger-0.1?

Cometlogger-0.1 maintains a long-term presence on the victim’s system and uses advanced techniques like obfuscation, keylogging, screen capturing, and data exfiltration to compromise user data. It dynamically requests a “webhook” from the user and embeds it into Python files, allowing for potential manipulation by unauthorized users. This can redirect sensitive data to malicious servers or facilitate command-and-control operations. 

The script also targets various platforms like Discord, Steam, Instagram, and Twitter, stealing tokens, passwords, and account information. Additionally, it employs anti-VM detection techniques to evade analysis and incorporates dynamic file modification capabilities, enabling the injection of malicious code.

Both packages are a major threat to user privacy and security. Zebo-0.1.0 actively collects sensitive data and transmits it to remote servers. Cometlogger-0.1, on the other hand, focuses on information theft and maintaining a persistent presence on the victim’s system. The affected systems include all those platforms where PyPI packages can be installed with a High severity level, and threatens individuals or institutions whoever has installed these malicious packages.

Data stolen by the malware (Via Fortinet FortiGuard Lab)

The Python Package Index (PyPI) has become an invaluable resource for developers, offering a vast repository of reusable code. However, this convenience comes with inherent risks as malicious actors are increasingly exploiting it by publishing malicious packages that, when installed, can compromise systems. Socket Security researchers last month discovered another malicious Python package called “Fabrice” on PyPI downloaded over 37,000 times since its inception in 2021, harvesting AWS credentials from developers for three years.

To protect against these threats, it is crucial to disconnect from the internet, isolate the infected system, use reputable antivirus software, and reformat the system if necessary.

  1. Why is learning Python important in Data Science?
  2. 6 official Python repositories plagued with cryptomining malware
  3. PythonAnywhere Cloud Platform Abused for Hosting Ransomware
  4. Python in Threat Intelligence: Analyzing – Mitigating Cyber Threats
  5. NTLM Credential Theft in Python Apps Threaten Windows Security





Source link