Affected platforms: All platforms where PyPI packages can be installed
Impacted parties: Any individuals or institutions that have these malicious packages installed
Impact: Leak of credentials, sensitive information, etc.
Severity level: High

Vigilance is paramount in cybersecurity, especially when it comes to understanding and dissecting potentially malicious code. In this blog post, we'll delve into a piece of code designed (discordpy_bypass-1.7 ) to extract sensitive data from user systems. We'll analyze its components, functions, and methodologies to understand its purpose and approach.

Introduction

FortiGuard Labs uses a proprietary, AI-driven OSS malware detection system to hunt for and monitor threats. Using this approach on the Python Package Index (PyPI) supply chain platform, we unearthed a malicious PyPI package named discordpy_bypass-1.7, published on March 10, 2024, and detected on March 12, 2024.

This code aims to covertly extract sensitive information from unsuspecting victims using a blend of persistence techniques, browser data extraction, and token harvesting. Understanding the origins and propagation methods of malicious code is paramount in its analysis. Authored by theaos, the author produced seven versions of the package, including versions 1.1, 1.2, 1.3, 1.4, 1.5, 1.6, and 1.7. The upgrade-colored_0.0.1 also exhibits similar malicious content as discordpy_bypass, indicating a consistent behavior pattern across versions.

Figure 1: discordpy_bypass-1.7

"discordpy_bypass-1.7" highlights the sort of ongoing threats seen across the cybersecurity landscape. This PyPI package version exhibits similar malicious behavior to previous malicious packages, focusing on extracting sensitive data from user systems through obfuscated code and evasion techniques targeting analysis environments. The code employs various checks to detect debugging or analysis environments and terminates itself if detected, showcasing the author's effort to evade scrutiny.

The code has three layers. The original Python code is encoded using base64 (the innermost layer). The encoded strings are then broken into separate pieces and encoded once again with some obfuscation techniques (intermediate layer). The obfuscated file is then compiled using pyinstaller into an exe (the last layer) put on a remote URL. The code in discordpy_bypass/discordpy_bypass.py fetches the code from the URL and runs it on the user's device. This underscores the critical need for vigilance and proactive measures to effectively detect and mitigate cybersecurity threats.

Detecting Debugging or Analysis Environment

One of the first lines of defense code developers use against reverse engineering is detecting debugging or analysis environments. The code segment employs multiple techniques, listed below, to identify such environments and terminate the program’s “self-destruct” if detected.

Figure 2: The program exits in self_destruct

Figure 3: Blocked processes

Figure 4: Block listed IPs and MACs

Figure 5: blackListedUsers, blackListedPCNames, and “blackListedHWIDS

System Initialization and Socket.IO Events

The code initializes a number of variables and sets up Socket.IO events to handle connections, disconnections, frame adjustments, and more. It enables remote control and monitoring of a system, facilitating actions such as directory navigation, file operations, and command execution.

Command Handling Functions

Several functions handle commands received over Socket.IO, executing various actions based on the command received. These actions include listing directory contents, sending files to the server, displaying alerts, listing processes, terminating processes, gathering system information, and more.

Malicious Intent

Browser Data Extraction and Token Harvesting: The code's core functionality revolves around extracting sensitive information from browsers and harvesting authentication tokens, particularly from Discord.

Browser Data Extraction: It utilizes techniques to extract data such as login credentials, cookies, web history, and more from various browsers.

Token Harvesting: This process also decrypts and validates authentication tokens extracted from files, particularly Discord tokens, before uploading them to a remote server.

Figure 8: Actions the hacker can take

Figure 9: The “upload” class collects data from various sources, including browser data such as login credentials, cookies, web history, and credit card information

Figure 10: After collecting the data, the “upload” class compresses it into a ZIP file. This Is often seen in malware to bundle stolen data or payloads for exfiltration

Figure 11: The ‘send’ method attempts to send the compressed ZIP file to a server

Conclusion

Our investigation into the "discordpy_bypass-1.7" code has uncovered a clever and sneaky cyber threat to secretly steal important information from people's computers. What makes this code especially dangerous is how it tries to trick computer systems and experts who attempt to analyze it. It's like a master of disguise that can escape from being caught.

This discovery reminds us that the internet isn't always a safe place. We need to stay alert to protect ourselves from such threats. Understanding them helps us build stronger defenses and stay safe in our digital world. By working together and staying cautious, we can keep our personal information and digital lives secure.

Fortinet Protections

FortiGuard AntiVirus detects the malicious files identified in this report as

upgrade-colored-0.0.1/colored/call.py: Python/Agent.COL!tr
upgrade-colored-0.0.1/colored_payload: Python/Agent.0337!tr
discordpy_bypass-1.0/discordpy_bypass/discordpy_bypass.py: Python/Disco.BYP!tr.dldr
discordpy_bypass-1.1/discordpy_bypass/discordpy_bypass.py: Python/Disco.BYP!tr.dldr
discordpy_bypass-1.2/discordpy_bypass/discordpy_bypass.py: Python/Disco.BYP!tr.dldr
discordpy_bypass-1.3/discordpy_bypass/discordpy_bypass.py: Python/Disco.BYP!tr.dldr
discordpy_bypass-1.4/discordpy_bypass/discordpy_bypass.py: Python/Disco.BYP!tr.dldr
discordpy_bypass-1.5/discordpy_bypass/discordpy_bypass.py: Python/Disco.BYP!tr.dldr
discordpy_bypass-1.6/discordpy_bypass/discordpy_bypass.py: Python/Disco.BYP!tr.dldr
discordpy_bypass-1.7/discordpy_bypass/discordpy_bypass.py: Python/Disco.BYP!tr.dldr
discordpy_bypass-1.7/discordpy_bypass/discordpy_bypass_payload.exe: Python/Agent.514A!tr
discordpy_bypass-1.7/discordpy_bypass/discordpy_bypass_python.py: Python/Agent.C77E!tr
discordpy_bypass-1.6/discordpy_bypass/discordpy_bypass_payload.py: Python/Agent.7684!tr

The FortiGuard AntiVirus service is supported by FortiGate, FortiMail, FortiClient, and FortiEDR. Customers running current AntiVirus updates are protected.

The FortiGuard Web Filtering Service detects and blocks the download URLs cited in this report as Malicious.

The FortiDevSec SCA scanner detects malicious packages, including those cited in this report that may operate as dependencies in users' projects in test phases, and prevents those dependencies from being introduced into users' products.

If you believe these or any other cybersecurity threat has impacted your organization, please contact our Global FortiGuard Incident Response Team.

IOCs