The software supply chain security company Phylum has discovered a malicious assault using the PoweRAT backdoor and an information thief that targets users of the Python Package Index (PyPI).
The campaign was initially discovered on December 22, 2022, when PyroLogin, a malicious Python programme made to retrieve code from a remote server and silently execute it, was discovered.
The EasyTimeStamp, Discorder, Discord-dev, Style.py, and PythonStyles packages all had code that was comparable to PyroLogin, and they were all released to PyPI between December 28 and December 31.
The infection chain starts with a setup.py file, which means that the malware is automatically deployed if the malicious packages are installed using Pip. The infection chain involves the execution of numerous scripts and the exploitation of legitimate operating system features.
The execution process was examined by Phylum, who found attempts to avoid static analysis and the usage of obfuscation. While the malicious code is being performed in the background, a message indicating that "dependencies" are being installed is displayed in order to avoid raising the suspicion of the victims.
The infection chain also involves the setup of numerous potentially harmful programs, the placement of malicious code into the Windows starting folder for persistence, and libraries that let the attackers manipulate, monitor, and record mouse and keyboard input.
Once the virus is installed on the victim's computer, it gives the attackers access to sensitive data such as browser cookies and passwords, digital currency wallets, Discord tokens, and Telegram data. A ZIP archive containing the collected data is exfiltrated.
Additionally, the malware tries to download and install Cloudflare. This Cloudflare command-line tunnel client enables attackers to access a Flask app on the victim's machine without changing the firewall, on the victim's computer.
Using the Flask app as a command-and-control (C&C) client, the attackers can run shell commands, download and execute remote files, and even execute arbitrary Python code in addition to extracting information like usernames, IP addresses, and machine specifics.
The malware, which combines the capabilities of an information thief and a remote access trojan (RAT), also has a feature that sends an ongoing stream of screenshots of the victim's screen to the attackers, enabling them to cause mouse clicks and button presses. Phylum named the malware PoweRAT instead of Xrat "because of its early reliance on PowerShell in the attack chain."
Phylum concludes, "This thing is like a RAT on steroids. It has all the basic RAT capabilities built into a nice web GUI with a rudimentary remote desktop capability and a stealer to boot! Even if the attacker fails to establish persistence or fails to get the remote desktop utility working, the stealer portion will still ship off whatever it found.”