Threat Research

Unraveling Cyber Threats: Insights from Code Analysis | FortiGuard Labs

Fortinet

FortiGuard Labs discovered a malicious PyPI package, discordpy_bypass-1.7, that uses layered obfuscation, anti-analysis checks, remote payload retrieval, Socket.IO-based remote control, and browser/token harvesting to steal sensitive data. Fortinet provided multiple file detections and SHA-256 IOCs for versions and payloads. #discordpy_bypass #FortiGuardLabs

Keypoints

  • FortiGuard Labs detected the malicious PyPI package discordpy_bypass-1.7 (published 2024-03-10) and related packages such as upgrade-colored_0.0.1.
  • The malware uses three obfuscation layers: base64-encoded Python, segmented/obfuscated strings, and a PyInstaller-compiled EXE hosted remotely and downloaded at runtime.
  • Multiple anti-analysis checks detect debuggers and analysis environments via blocked process list, blacklisted IPs/MACs, usernames, hostnames, and hardware IDs and exit if detected.
  • The agent initializes Socket.IO events to establish remote control and exposes command handlers for file operations, directory listing, process listing/termination, and arbitrary command execution.
  • Primary data collection targets include browser-stored credentials, cookies, web history, credit card data, and Discord authentication tokens which are decrypted, validated, compressed, and prepared for upload.
  • Collected data is compressed into ZIP archives and exfiltrated to a remote server; FortiGuard AntiVirus and Web Filtering signatures detect the files and block related download URLs.

MITRE Techniques

  • [T1027] Obfuscated Files or Information – The package encodes and layers its payload to evade analysis (‘The code has three layers. The original Python code is encoded using base64 (the innermost layer). The encoded strings are then broken into separate pieces and encoded once again…’).
  • [T1105] Ingress Tool Transfer – The package downloads an executable payload from a remote URL and executes it on the host (‘The code in discordpy_bypass/discordpy_bypass.py fetches the code from the URL and runs it on the user’s device.’).
  • [T1059] Command and Scripting Interpreter – The malware executes received commands and Python-based scripts to perform filesystem and process actions (‘Several functions handle commands received over Socket.IO, executing various actions…’).
  • [T1547] Boot or Logon Autostart Execution – The report notes the use of persistence techniques to maintain presence on infected systems (‘This code aims to covertly extract sensitive information from unsuspecting victims using a blend of persistence techniques…’).
  • [T1071.001] Application Layer Protocol: Web Protocols – Socket.IO is used for C2 and remote interaction, handling connections and command events (‘The code initializes … and sets up Socket.IO events to handle connections, disconnections, frame adjustments, and more.’).
  • [T1555.003] Credentials from Web Browsers – The agent extracts browser-stored credentials and authentication tokens (notably Discord tokens) and decrypts/validates them (‘…extracting sensitive information from browsers and harvesting authentication tokens, particularly from Discord.’).
  • [T1041] Exfiltration Over C2 Channel – Collected data is compressed and transmitted to an attacker-controlled server (‘After collecting the data, the “upload” class compresses it into a ZIP file… The ‘send’ method attempts to send the compressed ZIP file to a server’).

Indicators of Compromise

  • [File names] Malicious PyPI package files and payloads – discordpy_bypass-1.7/discordpy_bypass/discordpy_bypass.py, upgrade-colored-0.0.1/colored/call.py
  • [SHA256 hashes] File hashes tied to detections – 31c1c3530655fb6da70368fd6c462893ff1b85feda7e5ecbdd9c5ec600e4edb1 (discordpy_bypass-1.7 .py), 8fd185a5499d728eef4cd181477b0720a60c8be143ff2628941bb2a5985b1f73 (discordpy_bypass_payload.exe), and 11 more hashes.
  • [Package names] PyPI package identifiers – discordpy_bypass-1.0 … discordpy_bypass-1.7, upgrade-colored-0.0.1
  • [Source URL] Report/source feed – https://feeds.fortinet.com/~/881968499/0/fortinet/blog/threat-research~Unraveling-Cyber-Threats-Insights-from-Code-Analysis

The package author (theaos) released multiple versions of discordpy_bypass; FortiGuard analysis shows the sample employs layered obfuscation and a remote-hosted PyInstaller executable. At runtime the package performs environment checks (blocked processes like Wireshark and IDA64, blacklisted IPs/MACs, usernames, hostnames, HWIDs) and will exit when an analysis environment is detected. The loader fetches the remote payload and executes Python code on the host, enabling a persistent agent.

Once active, the agent initializes Socket.IO connections for command-and-control and registers handlers that allow directory traversal, file upload/download, process listing/termination, alert display, and arbitrary command execution. Data collection routines locate browser profiles and decrypt stored artifacts, harvesting login credentials, cookies, browsing history, credit card data, and Discord tokens; harvested tokens are validated prior to exfiltration.

Collected artifacts are packaged by an “upload” class into ZIP archives and transmitted to remote servers via the agent’s send routines. FortiGuard provided detection names for the various files and corresponding SHA-256 hashes and notes that FortiGuard AntiVirus and Web Filtering block the malicious files and download URLs.

Read more: https://feeds.fortinet.com/~/881968499/0/fortinet/blog/threat-research~Unraveling-Cyber-Threats-Insights-from-Code-Analysis

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint