Cybersecurity researchers have uncovered “pytoileur,” a malicious package on the Python Package Index (PyPI).
The package, posing as an “API Management tool written in Python,” concealed code that downloads and installs trojanized Windows binaries.
These binaries are capable of surveillance, achieving persistence and stealing cryptocurrency. The package was discovered by Sonatype’s automated malware detection systems and quickly taken down after being flagged.
The pytoileur package, downloaded 264 times before its removal, used deceptive techniques to avoid detection. Its metadata described it as a “Cool package,” using a tactic of labeling packages with appealing, vague descriptions to lure developers into downloading them.
A closer examination, described in an advisory published by Sonatype today, revealed hidden code within the package setup file, obscured by extensive whitespaces. This code executed a base64-encoded payload that retrieved a malicious executable from an external server.
The downloaded binary, “Runtime.exe,” leverages PowerShell and VBScript commands to install itself, ensuring persistence on the infected system. It employs various anti-detection measures to evade analysis by security researchers.
The binary is capable of information theft and crypto-jacking, targeting user data stored in web browsers and accessing assets associated with cryptocurrency services like Binance and Coinbase, among others.
Further investigation revealed that pytoileur is part of a broader cool package campaign that has been ongoing for months. This campaign involves multiple malicious packages on PyPI, all using similar tactics to download trojanized binaries.
For instance, packages like “gpt-requests” and “pyefflorer” have been identified as part of this campaign. They employ similar base64 encoding techniques to hide malicious payloads.
Read more on malware targeting cryptocurrency: New Cloud Attack Targets Crypto CDN Meson Ahead of Launch
One package, “lalalaopti,” contained modules designed for clipboard hijacking, keylogging and remote webcam access, indicating the attackers’ broad malicious intent.
“This week’s reemergence of an identical malicious Python package is a testament to threat actors reviving and recycling old tactics to cast their net wider and expand their set of targets,” wrote Sonatype.
“[These] often involve developers of several niches (i.e., from AI and machine learning enthusiasts to those relying on popular Python frameworks like Pyston).”