Full Report
Cybersecurity researchers have flagged two malicious packages that were uploaded to the Python Package Index (PyPI) repository and came fitted with capabilities to exfiltrate sensitive information from compromised hosts, according to new findings from Fortinet FortiGuard Labs. The packages, named zebo and cometlogger, attracted 118 and 164 downloads each, prior to them being taken down.
Analysis Summary
This summary is based on the provided article describing the discovery of malicious Python packages on PyPI.
# Tool/Technique: zebo and cometlogger (Malicious PyPI Packages)
## Overview
Two malicious packages, named `zebo` and `cometlogger`, were discovered uploaded to the Python Package Index (PyPI). These packages function as malware designed for surveillance, data exfiltration, unauthorized control, and information harvesting from compromised hosts.
## Technical Details
- Type: Malware families (specifically, malicious Python packages)
- Platform: Primarily targets **Windows** (implied by persistence mechanism using Windows Startup folder).
- Capabilities: Keystroke logging, screen capture, credential/data theft from numerous applications, persistence establishment, C2 communication, and anti-VM checks (for `cometlogger`).
- First Seen: Prior to December 24, 2024 (when the article was published).
## MITRE ATT&CK Mapping
The observed behaviors map to several stages of the attack lifecycle:
- **TA0001 - Initial Access**
- T1190 - Exploit Public-Facing Application (Distribution via PyPI repository)
- **TA0005 - Persistence**
- T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (for `zebo`)
- **TA0009 - Collection**
- T1056.001 - Input Capture: Keystroke Monitoring
- T1113 - Screen Capture
- T1555 - Credentials from Password Stores (e.g., stealing cookies, passwords, tokens)
- T1005 - Data from Local System (Harvesting system metadata, network info)
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel (HTTP requests)
- T1567.002 - Exfiltration Over Web Service (Using ImgBB for image exfiltration)
- **TA0004 - Privilege Escalation (Implied if local user context is sufficient for startup folder modification)**
- **TA0003 - Persistence**
- T1078.003 - Valid Accounts: Local Accounts (Running code automatically)
## Functionality
### Core Capabilities
**`zebo`:**
* Utilizes obfuscation techniques (hex-encoded strings) to hide C2 server URLs.
* Employs the `pynput` library for capturing keystrokes.
* Uses `ImageGrab` to take screenshots hourly.
* Exfiltrates captured screenshots to the free image hosting service **ImgBB** using a dynamically retrieved API key.
* Establishes persistence on Windows by creating a batch script that adds the malicious Python code to the **Windows Startup folder**.
**`cometlogger`:**
* Highly feature-packed malware focusing on comprehensive data theft.
* Siphons various sensitive data types: cookies, passwords, tokens, and account information.
* Targets data from major platforms: Discord, Steam, Instagram, X (Twitter), TikTok, Reddit, Twitch, Spotify, and Roblox.
* Collects system metadata, network configuration, Wi-Fi information, running process lists, and clipboard contents.
* Includes checks to avoid execution within virtual environments (Anti-VM checks).
* Has functionality to terminate web browsers.
### Advanced Features
* **Dynamic C2 Retrieval:** `zebo` conceals its C2 URL using obfuscation.
* **File Manipulation:** `cometlogger` exhibits dynamic file manipulation.
* **Webhook Injection:** `cometlogger` shows signs of webhook injection behavior (purpose not fully detailed in the text but listed as malicious).
## Indicators of Compromise
* File Hashes: Not explicitly provided in the summary.
* File Names: `zebo` and `cometlogger` (the package names).
* Registry Keys: Not explicitly provided, but persistence relies on the **Windows Startup folder**.
* Network Indicators: C2 servers communicating via **HTTP requests** (URL is obfuscated). Image exfiltration uses the **ImgBB API**.
* Behavioral Indicators: Keystroke logging, hourly screenshot capture, creation of batch script in the Startup folder, network configuration gathering, and browser termination attempts.
## Associated Threat Actors
The article does not explicitly name specific APT groups, but labels the packages as malicious research findings, indicating potential use by financially motivated groups or commodity malware distributors targeting open-source users.
## Detection Methods
* Signature-based detection (if hashes/C2s are identified).
* Behavioral detection identifying API calls related to `pynput`, `ImageGrab`, file system modifications in the Startup folder, and connections to C2 infrastructure.
* Detection of dynamic features like obfuscated string decoding.
## Mitigation Strategies
* **Supply Chain Security:** Vigilance regarding dependencies installed from public repositories like PyPI.
* **Dependency Vetting:** Reviewing newly uploaded or low-reputation packages before installation.
* **Access Control:** Limit privileges such that standard user accounts cannot easily write to system-wide startup locations.
* **Network Monitoring:** Inspecting outbound traffic for suspicious HTTP requests or uploads to image hosting services.
* **Endpoint Detection and Response (EDR):** Monitoring for the execution of Python scripts spawned from startup locations and suspicious process activity (e.g., keylogging).
## Related Tools/Techniques
* Credential Stealers utilizing open-source libraries.
* Malicious use of `pynput` and `ImageGrab`.
* Supply chain attacks targeting developer environments via package registries (similar to typosquatting or dependency confusion attacks, though these appear to be direct malware uploads).