Colour-Blind RAT Wriggles Its Way Onto PyPI
A Python package named "colourfool" that was uploaded to PyPI has been discovered to contain a malicious information stealer and remote access trojan.
Kroll's Cyber Threat Intelligence team identified the malware, which they called "Colour-Blind." Malicious Python modules like colourfool are concealing their harmful code in the setup script, and the malware establishes persistence through a Visual Basic script while using transfer[.]sh for data exfiltration. The trojan is capable of gathering passwords, taking screenshots, logging keystrokes, opening arbitrary web pages, executing commands, capturing crypto wallet data, and even spying on victims through their webcams.
The malware is also designed to evade detection by checking for sandbox execution and setting up a Flask web application for remote control, which it makes accessible through Cloudflare's reverse tunnel utility 'cloudflared.' Researchers have noted the similarity between this campaign and the one disclosed by Phylum last month, where six fraudulent packages were used to distribute a stealer-cum-RAT called poweRAT, which also used Flask and Cloudflare for remote control.
The researchers believe that these similarities indicate that different threat actors are sharing ideas, resources, or code, rather than an evolution of a code base being developed by a single actor.
What is a Remote-Access Trojan?
A Remote Access Trojan (RAT) is a type of malware that provides an attacker with unauthorized access to a victim's computer system. The attacker can then remotely control the compromised system, enabling them to steal sensitive data, install other malicious software, and perform other nefarious activities. RATs are usually delivered through phishing emails, social engineering, or other types of social engineering attacks. Once installed, they establish a backdoor into the system, allowing the attacker to access and control the victim's computer remotely. RATs are often used in targeted attacks against individuals, organizations, and governments, and they can be very difficult to detect and remove.
How Can You Protect Your System from Malware Similar to Colour-Blind RAT?
There are several steps you can take to protect your system from malware similar to the Colour-Blind RAT:
- Keep your system and software up to date with the latest security patches and updates.
- Use antivirus software and keep it updated regularly.
- Be cautious when downloading and installing software, especially from untrusted sources.
- Use a reputable software repository, such as PyPI, and carefully review the details of any package you plan to install.
- Use a firewall to block incoming traffic and limit outgoing traffic to only essential applications.
- Regularly backup your important data to an external device or cloud-based storage service.