A Malicious Python Repository fshec2 PyPI Attack Analysis

TutorialBoy
5 min readOct 13, 2023

Introduction

PyPI (Python Package Index) is Python’s official package indexing and distribution platform. It is a public, global repository for storing, publishing and installing Python packages and modules

PyPI allows developers to package the Python code they write as reusable modules or libraries and publish them on PyPI for other developers to use. Developers can install the required modules or libraries from PyPI by using the pip tool (Python’s package management tool). PyPI provides a wide range of Python packages covering functionality for a variety of uses and domains.

The security team of ReversingLabs reported a malicious package named fshec2 to the PyPI team. The package was removed from the PyPI repository on the same day.

Technical Analysis

After the package is installed, three files __init__.py, full.pyc, and main.py will be generated.

__init__.py imports the load_path function from the main module.

The load_path function in main.py loads the full.pyc file through the importlib library uses it as a module object, and finally calls the get_path function of the object.

It can be seen from the file header of full.pyc that the file is written in version 3.10b of Python. Some tools such as pycdc and uncompyle6 cannot completely decompile the py source code. The manual decompilation results are as follows:

The get_path function will first determine the relevant behaviour based on the host system. Under Windows, this function will send its own hostname and user information to the C2 server, and send the directory structure in the user root directory of the C drive to the C2 server. At the same time, the commands obtained from the C2 server are written locally.

Then the Python path and malicious script path are obtained through the create_windows_task function, and then the command is used:

schtasks /create /tn “{task_name}” /tr “{python_path} {script_path}” /sc minute /mo {trigger_interval} /F /RL HIGHEST /NP

Add Windows scheduled tasks. This command will create a scheduled task that periodically runs the specified Python script with the highest privileges.

Under Linux, it will also send its own hostname and user information to the C2 server, and then write the current scheduled task to the __crontabl_default.txt file.

Finally, the subprocess.call will be used to add scheduled tasks. The tasks are:

*/10 * * * * /usr/bin/python3 {file_path_user} >> {dir_path}/{file_path_all}run.log 2>&1

The meaning is to execute the /usr/bin/python3 {file_path_user} command every 10 minutes and append the output results to the {dir_path}/{file_path_all}run.log file.

The send_file function will upload files to the uploads directory of the C2 server.

Through the combination of the above functions, the attack behaviour of this malicious library can evolve.

In the first stage, the new Python file will be downloaded from C2, and the payload in the second stage will be downloaded through the execute_commands_as_per_url function.

Subsequent attack behaviours were changeable and controllable. Since the relevant directories of the C2 server had been deleted on June 5, 2023, when this article was written, subsequent payloads could not be obtained, and the analysis ended.

  • On April 17, 2023, the malicious package was removed from the PyPI repository.
  • On June 5, 2023, the malicious package could still be downloaded from domestic mirror websites.

As of June 6, 2023, Weibu has not marked this IP. On VirusTotal, six security companies including ADMINUSLabs, CRDF, CyRadar, ESET, ESTsecurity, and Kaspersky have marked this IP.

Remediation

Nowadays, attacks based on third-party libraries have become very common. For Python, even if PyPI performs source code detection on released software packages, there will still be some malicious software packages that can escape detection and be uploaded. For example, malicious Python libraries such as pyrologin, easytimestamp, discorder, and discord-dev use similar names to common libraries, causing programmers to accidentally install these malicious libraries when using the pip install command, and finally when calling the export function of the malicious library. Conducted malicious operations.

Although this fshec2 attack example does not use advanced attack techniques, it successfully uses pyc files to bypass PyPI’s source code detection and anti-virus software detection. This easily reproducible attack method requires the attention of security personnel and Internet companies.

This attack method reminds us that although open-source library platforms such as PyPI have taken a series of security measures, we still need to remain highly vigilant. As developers and users, we should be cautious about the use of third-party libraries and take some precautions to reduce potential risks. Specific measures are as follows:

  • Carefully verify and verify the source and trustworthiness of the libraries you want to install. Make sure the author of the library is trustworthy and check whether the library is downloaded from an official source.
  • Avoid installing untrusted libraries directly in production environments. When using a library, you can first test and evaluate it in a development environment to ensure that the functionality and security of the library meet expectations.
  • Keep installed libraries updated. As security vulnerabilities continue to be discovered and fixed, newer versions of open-source libraries often fix known vulnerabilities and security issues;

Before using any third-party library, you should carefully read its documentation, review its community feedback and reviews, and understand how the library is used, its functions, and potential risks.

--

--

TutorialBoy

Our mission is to get you into information security. We'll introduce you to penetration testing and Red Teaming. We cover network testing, Active Directory.