Lucene search

K
impervablogOmri CohenIMPERVABLOG:35313D4EE3E20D03E4113C9E5AF6360F
HistoryFeb 13, 2024 - 3:47 p.m.

Python’s Colorama Typosquatting Meets ‘Fade Stealer’ Malware

2024-02-1315:47:35
Omri Cohen
www.imperva.com
4
python
colorama
fake
stolen
malware
fade stealer
pypi
attack
discord webhook
windows
evasion
leet
data exfiltration

7.3 High

AI Score

Confidence

Low

As our hunt against malicious Python packages continues, Imperva Threat Research recently discovered an attempt to masquerade Fade Stealer malware as a nondescript package, Colorama.

Why Colorama?

Colorama is a package used by developers to add color and style to their text in terminal outputs.

Figure 1: Genuine Colorama package

Colorama is number 44 in the top downloaded PyPi packages in the last month, which makes it a great candidate for attackers to create malicious copies in an effort to fool innocent developers.

Figure 2: ‘Colorama’ popularity

There have been several attempts to masquerade the ‘colorama’ package in the last year, by using typosquatting, such as: ‘colarama’, ‘colourama’, ‘colorama-api’, etc.

Figure 3: Masquerade packages of ‘Colorama’

While browsing the internet, we came across several blog posts—including those from Inedo, Sonatype, and Phylum—discussing different packages masquerading as the Colorama package.

Our Findings

Our journey started with the ‘colarama-api’ package, which was discovered by our detection system. A file called ‘setup.py’ triggered the alert, and the metadata caught our attention. Several fields (marked in red below) attempted to gain the trust of the users by mentioning the legitimate author of the package.

Figure 4: ‘colarama-api’ metadata from setup.py

The second thing that we observed was the import of the base64 decode and request libraries, along with a Discord webhook reference. These were suspicious because they are not common to see in setup.py files.

Figure 5: ‘colarama-api’ setup.py

We discovered that there were two more PyPi packages using the same Discord webhook:

  • oauth-Less-1.0.tar.gz
  • shikitesting-1.0.tar.gz

Figure 6: Package release timeline

All of these malicious packages have been removed by PyPi.

Fade Stealer

While analyzing the setup.py code, we bumped into the string ‘Fade Stealer’, which led us to several blogs written in the last year, among them a blog written by Fortinet.

In addition to the tactics, techniques, and procedures (TTPs) flagged by Fortinet, there are several indicators that the targets of ‘Fade Stealer’ are Windows users, like several environment variables and paths in the malware.

Figure 7: Windows environments variables

Figure 8: Windows paths

The program tries to extract sensitive information from known and popular sites across different sectors like gaming, social media, and entertainment. For example, the program targets sites like Facebook, Telegram, Roblox, etc.

Figure 9: Target sites to exfiltrate data

The attacker used several evasion techniques to stay under the radar. One of them is the use of Leet (sometimes written as "1337" or "l33t") in an attempt to avoid detection from programs that search for specific strings, as seen in Figure 10 below.

In Figure 10, we can also see that the attacker copied the cookies’ db file to a temporary folder, and after fetching the data, removed the file to hide their traces.

To fetch data from the victim’s sensitive files, the attacker had to terminate processes to make sure the file was not locked.

Terminate process before extracting data

One of the things the attacker attempted to exfiltrate is Discord payment and billing information. By accessing the Discord API with the ‘@me’ notation, the attacker can leverage the existing session token.

Figure 12: Billing information exfiltration

The use of the string ‘methode’ (Figure 12) within the code could suggest that the creator of 'Fade Stealer' might not be a native English speaker. This inference is based on the spelling of the word "methode" – which resembles the French word for "method" or similar spellings in other languages, rather than the English spelling "method."

Takeaways

While individually the use of ‘Fade Stealer’ or typosquatting of the ‘colorama’ package is familiar within cybersecurity circles, the combination of the two has never been seen before.

These tactics demonstrate a calculated effort to exploit the trust and habits of users in the Python community. It highlights the need for vigilance even when interacting with seemingly legitimate sources. Users must double-check package names, authors, and other metadata, especially when dealing with critical or sensitive projects. This scenario also underscores the importance of repository maintainers and the community in monitoring and reporting such malicious activities to safeguard the ecosystem.

IOC List

Packages

Package name SHA256 of the package archive
shikitesting-1.0.tar.gz 1cb8bc2d4a3944e0db89abda5d8cfac77cad98ff14b9a80f6a3518089a85506f
colarama-api-1.0.tar.gz 3d53080822a1417631fef70a20883941e9fb99a3021a7d5b63a0d054c99440ed
oauth-Less-1.0.tar.gz 55435c097498a2039ea9a34b47f5cb547b9516005c679df030ff001608af6388
aio_http_proxy_support-1.0.tar.gz
e15d4c5528e1024ec64edc6c3b229772b216c43cb28f67d385b35092d0808e7b

Malicious URL

hxxps://discord[.]com/api/webhooks/1204091633247850546/goOld9dQmwEAt28s5wpybJii9QkAjtt3q1NirOpU2AXbzzyIoL-M5k2sqWsA76DhMKCi

The post Python’s Colorama Typosquatting Meets ‘Fade Stealer’ Malware appeared first on Blog.

7.3 High

AI Score

Confidence

Low