Two sentences summarize the campaign: a novel PyPI supply-chain attack embeds a compiled Python bytecode file (fshec2) to run malicious code and evade source-code scanners by loading the module with Importlib. The operation relies on a remote C2 to fetch commands, with misconfigured infrastructure revealing additional details about the attacker’s setup.
#fshec2 #PyPI #PythonBytecode #ReversingLabs
#fshec2 #PyPI #PythonBytecode #ReversingLabs
Keypoints
- fshec2 is a PyPI package that contains a compiled Python bytecode file (.pyc) delivering malicious functionality.
- The loader uses Importlib to load the compiled module instead of a normal import, helping evade detection.
- The get_path method gathers system info and commands, including usernames, hostnames, and directory listings, and fetches scheduled tasks/cron commands.
- Commands are downloaded as Python scripts from a remote C2, with a cron_script used to fetch stage-2 commands, enabling evolution of the malware.
- A misconfigured Django-based web host exposed command endpoints and a download form, leaking filenames and IDs without full authorization.
- The campaign demonstrates that PyPI-based malware can bypass source-code analysis and highlights the need for binary analysis of compiled Python files.
MITRE Techniques
- [T1059.006] Python – The loader uses Importlib to load a Python compiled module rather than a normal import to avoid detection. ‘Importlib, the implementation of import in Python source code portable to any Python interpreter, is used to avoid detection by security tools.’
- [T1105] Ingress Tool Transfer – The malware downloads commands from a remote server to extend control. ‘The downloaded commands are just another Python script… observed it download and execute yet another Python script from the cron_script located on the same host.’
- [T1033] System Owner/User Discovery – The code collects usernames, hostnames, and directory listings. ‘collects usernames, hostnames, and directory listings.’
- [T1082] System Information Discovery – The same observation of collecting user/host info applies to understanding the target environment. ‘collects usernames, hostnames, and directory listings.’
- [T1083] File and Directory Discovery – The discovery of directory listings is used to map available data. ‘collects usernames, hostnames, and directory listings.’
- [T1053.005] Cron – The malware uses scheduled tasks or cronjobs to fetch commands. ‘fetches commands that are set for execution using scheduled tasks or cronjob, depending on the host platform.’
- [T1027] Obfuscated/Compressed Files – The attack relies on obfuscation-like techniques (and Base64-encoded code) to conceal payloads. ‘execution of Base64-encoded malicious code’ and related obfuscation approaches are discussed.
Indicators of Compromise
- [Package name] context – fshec2
- [Version] context – 1.0.0
- [SHA1] context – 7be50d49efd1e8199decf84dc4623f58b8686161, bab57a9aac8e138e4e2a9f8079fd50b7c1d31540
- [IP address] context – 13.51.44.246
- [File name] context – full.pyc, __init__.py