6 Malicious PyPi Packages Installing RAT Malware via Cloudflare Tunneling

By Gagandeep Singh

10-Jan-2023

Researchers at Phylum discovered six malicious packages on the Python Package Index installing Information stealing and Remote access trojan malware.

These malicious extensions were first found on the Packages repository on December 22, and the attackers kept on uploading other packages till the last day of 2022.

Well, these packages were installing malware while using Cloudflare to bypass firewall restrictions for remote access.

Setup.py has 64-bit encoded strings that decode to a Powershell script, and setup sets the ErrorAction.SlientlyContinue.

The script can continue even if it runs into an error to avoid getting identified by the developers.

Powershell script downloads a ZIP File from a remote resource and unzips it to a local temp directory.

It Installs a variety of dependencies & packages, making sure that remote access & taking screenshots are possible.

There are two more Python packages that get installed silently in the middle of the ‘flask’ and ‘flask cloudflared’ phases.

There are two more Python packages that get installed silently in the middle of the ‘flask’ and ‘flask cloudflared’ phases.

Now the script runs a cftunnel.py which is also stored in the Zip archive that is used to install a Cloudflare tunnel client on the victim’s computer.

Read the full story here.