Keypoints
- The malicious PyPI package “testfiwldsd21233s” targeted both Windows and Linux, using a native executable on Windows and Python code on Linux to steal browser cookies and passwords.
- Stolen data was saved to temporary files, uploaded to transfer[.]sh, and a unique retrieval URL was sent via a hardcoded Telegram bot API endpoint.
- A researcher intercepted the Telegram bot output, later receiving an attacker-sent zip containing multiple .lnk shortcut files disguised as .txt files with a notepad icon.
- The .lnk files contained PowerShell in their “Command Line Arguments” that XOR-decodes an embedded payload, writes a .exe to %temp% with a random name, and executes it.
- The extracted executable is a 64-bit .NET Metasploit backdoor (SHA-256: 4cf48c2a3933ac4c6733533bf16d40fa4e411fbbf42b03d84d6c8df62e253ad0) communicating with hxxp://128[.]199[.]113[.]162/upwawsfrg[.]php for C2 and exfiltration.
- The backdoor establishes persistence by registering a scheduled task that runs the executable every five minutes.
- Key IOCs include a Telegram bot API token/URL, the IP 128[.]199[.]113[.]162, the C2 PHP endpoint, and SHA-256 hashes for the LNK and extracted executable.
MITRE Techniques
- [T1195] Supply Chain Compromise – Malicious open-source package deployed via public repositories to deliver payloads (‘poison them with malicious packages and implement strategies…’).
- [T1555.003] Credentials from Web Browsers – The package collected cookies and saved passwords from web browsers (‘gathering sensitive information from web browsers, including but not limited to cookies and saved passwords’).
- [T1102] Web Service – Exfiltration and command reporting used Telegram bot API to forward data (‘exfiltrate the host information along with a unique URL … using a hardcoded Telegram bot API URL’).
- [T1567.002] Exfiltration to Cloud Storage – Stolen files were uploaded to transfer[.]sh for later retrieval (‘saved this data into temporary files, which were then uploaded to transfer[.]sh’).
- [T1059.001] Command and Scripting Interpreter: PowerShell – LNK shortcuts executed a hidden PowerShell command that decodes and launches an embedded executable (‘Command Line Arguments property was set to the following powershell command’).
- [T1027] Obfuscated Files or Information – The payload inside the LNK is XOR-obfuscated and reconstructed at runtime (‘for($i=0; $i -lt $file.count; $i++) { $file[$i] = $file[$i] -bxor 0x33 }’).
- [T1053.005] Scheduled Task/Job – The malware creates a scheduled task to run the executable every five minutes for persistence (‘create a scheduled task on the system to maintain persistence’ and executes every 5 minutes).
- [T1071.001] Application Layer Protocol: HTTP/S – The backdoor communicates with a handler via HTTP to hxxp://128[.]199[.]113[.]162/upwawsfrg[.]php for C2 and payload delivery (‘communicates with a handler at the IP address “128[.]199[.]113[.]162” … “hxxp[://]128[.]199[.]113[.]162/upwawsfrg[.]php”‘).
Indicators of Compromise
- [Domain/URL] Telegram bot and API endpoint used for reporting – hxxps[://]api[.]telegram[.]org/bot6021370805:AAFbCSlFairNgnxSj8mC6Wtf7PW5yGyWmcE (hardcoded bot API URL), and hxxp[://]128[.]199[.]113[.]162/upwawsfrg[.]php (C2/exfil endpoint).
- [IP Address] Command-and-control host – 128[.]199[.]113[.]162 (handler accepting GET/POST for backdoor communication).
- [File Hash] Extracted malicious executable (PE) – SHA-256 4cf48c2a3933ac4c6733533bf16d40fa4e411fbbf42b03d84d6c8df62e253ad0 (identified as Metasploit backdoor).
- [File Hash] Malicious LNK files – SHA-256 273a75ba90251e317ed6291e6d4e31f80ce006e81bdc6582a4988078dc5610ef (multiple .lnk files shared the same hash).
- [File/Package Names] Identifiers observed in supply chain and payloads – PyPI package “testfiwldsd21233s”, stolen archive extension “.wsr”, and disguised shortcut filenames like “Screen,jpg.lnk”.
The malicious package targeted both Windows and Linux; on Windows the installer deployed LNK shortcut files that appear as .txt (custom icon set to notepad) but contain PowerShell in their “Command Line Arguments”. The PowerShell command locates a specific .lnk by size, reads it as a byte array, XOR-decodes each byte with 0x33, skips the first 2,838 bytes, writes the remainder as a .exe to %temp% with a random name, and executes it, enabling immediate execution without visible windows.
Extracting the payload from the LNK produced a 64-bit .NET PE (SHA-256 4cf48c2a…3ad0) which behaved as a Metasploit-generated backdoor. During runtime it contacted hxxp://128[.]199[.]113[.]162/upwawsfrg[.]php (HTTP GET/POST) for C2 and payload retrieval, and created a Windows scheduled task to run the executable every five minutes to ensure persistence. Initial data-stealing behavior involved harvesting browser cookies and saved passwords, saving them to temporary files, uploading those files to transfer[.]sh, and then sending the retrieval URL via a hardcoded Telegram bot API token/endpoint.
Detection and analysis steps used: intercepting Telegram bot messages to observe exfiltration flows, extracting and inspecting LNK metadata with exiftool to reveal icon and command-line properties, using a small Python extractor to reconstruct the embedded PE from the LNK, and dynamic analysis to observe network callbacks and scheduled-task creation. Key defensive controls include monitoring for anomalous use of Telegram API tokens, large uploads to file-transfer services (transfer[.]sh), suspicious .lnk files with nonstandard command-line arguments, unexpected scheduled tasks, and outbound HTTP traffic to 128[.]199[.]113[.]162 or similar endpoints.
Read more: https://checkmarx.com/blog/when-the-hunter-becomes-the-hunted/