merkurynews.biz.id
Open in
urlscan Pro
2a06:98c1:3120::9
Public Scan
URL:
https://merkurynews.biz.id/pypi-users-targeted-with-powerat-malware/
Submission: On January 11 via manual from US — Scanned from NL
Submission: On January 11 via manual from US — Scanned from NL
Form analysis 2 forms found in the DOM
GET https://merkurynews.biz.id/
<form action="https://merkurynews.biz.id/" method="get" class="search-form">
<label class="assistive-text"> Search </label>
<div class="input-group">
<input type="search" value="" placeholder="Search" class="form-control s" name="s">
<div class="input-group-prepend">
<button class="btn btn-theme">Search</button>
</div>
</div>
</form>POST https://merkurynews.biz.id/wp-comments-post.php
<form action="https://merkurynews.biz.id/wp-comments-post.php" method="post" id="commentform" class="comment-form" novalidate="">
<p class="comment-notes"><span id="email-notes">Your email address will not be published.</span> <span class="required-field-message">Required fields are marked <span class="required">*</span></span></p>
<p class="comment-form-comment"><label for="comment">Comment <span class="required">*</span></label> <textarea id="comment" name="comment" cols="45" rows="8" maxlength="65525" required=""></textarea></p>
<p class="comment-form-author"><label for="author">Name <span class="required">*</span></label> <input id="author" name="author" type="text" value="" size="30" maxlength="245" autocomplete="name" required=""></p>
<p class="comment-form-email"><label for="email">Email <span class="required">*</span></label> <input id="email" name="email" type="email" value="" size="30" maxlength="100" aria-describedby="email-notes" autocomplete="email" required=""></p>
<p class="comment-form-url"><label for="url">Website</label> <input id="url" name="url" type="url" value="" size="30" maxlength="200" autocomplete="url"></p>
<p class="comment-form-cookies-consent"><input id="wp-comment-cookies-consent" name="wp-comment-cookies-consent" type="checkbox" value="yes"> <label for="wp-comment-cookies-consent">Save my name, email, and website in this browser for the next time
I comment.</label></p>
<p class="form-submit"><input name="submit" type="submit" id="submit" class="submit" value="Post Comment"> <input type="hidden" name="comment_post_ID" value="109318" id="comment_post_ID">
<input type="hidden" name="comment_parent" id="comment_parent" value="0">
</p>
<p style="display: none;"><input type="hidden" id="akismet_comment_nonce" name="akismet_comment_nonce" value="fcdc8d97e1"></p>
<p style="display: none !important;"><label>Δ<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_1" name="ak_js" value="1673454918881">
<script>
document.getElementById("ak_js_1").setAttribute("value", (new Date()).getTime());
</script>
</p>
</form>Text Content
Skip to content * Wednesday, January 11, 2023 MERKURYNEWS Trending News. Latest news from world and many more Search Search * Home * Pages * About * Contact * Home * Download * PyPI users targeted with PoweRAT malware Download PYPI USERS TARGETED WITH POWERAT MALWARE January 10, 2023 everglow Software supply chain security company Phylum has identified a malicious attack targeting Python Package Index (PyPI) users with the PoweRAT backdoor and information stealer. The campaign was first discovered on December 22, 2022, when a malicious package called PyroLogin was identified as Python malware designed to fetch code from a remote server and silently execute it. Between December 28th and 31st, Phylum security researchers observed that five more packages containing PyroLogin-like code for PyPI were released: EasyTimeStamp, Discord, Discord-dev, Style.py, and PythonStyles. The chain of infection, which involves running various scripts and abusing legitimate operating system functions, starts with a setup.py file, which means that the malware is distributed automatically when the malicious packages are installed using pip. Phylum’s analysis of the execution process revealed the use of obfuscation and attempts to prevent static analysis. To prevent victims from raising suspicions, a message is displayed claiming that “dependencies” are installed while the malicious code runs in the background. The infection chain also involves the installation of several potentially invasive packages, including libraries that allow the attackers to control and monitor mouse and keyboard input and capture the screen, as well as placing malicious code in the Windows startup folder for persistence. Once running on the victim’s computer, the malware enables the attackers to steal sensitive information such as browser cookies and passwords, crypto wallets, Discord tokens, and Telegram data. The collected information is exfiltrated into a ZIP archive. The malware also attempts to download and install on the victim’s computer Cloudflared, a Cloudflare command-line tunneling client that allows the attackers to access a Flask app on the victim’s system without modifying the firewall. As a command-and-control (C&C) client, the Flask app allows attackers to extract information such as usernames, IPs, and machine details, run shell commands, download and run remote files, and even run arbitrary Python code. The malware, which acts as an information thief combined with a remote access trojan (RAT), also includes a feature that sends attackers a constant stream of images of the victim’s screen, allowing them to trigger mouse clicks and keystrokes. The malware is called Xrat, but Phylum chose to call it “PoweRAT” “because of its reliance on PowerShell early in the attack chain”. “This thing is like a RAT on steroids. It has all the basic RAT functionality integrated into a nice web GUI with a rudimentary remote desktop feature and stealer to boot! Even if the attacker fails to establish persistence or fails to get the remote desktop utility to work, the thief part will still send whatever it finds,” concludes Phylum. See also: Malicious PyPI module impersonates SentinelOne SDK Related: Python, JavaScript developers targeted with bogus packages delivering ransomware Related: Malware Delivered to PyTorch Users in a Supply Chain Attack Ionut Arhire is international correspondent for SecurityWeek. Previous columns by Ionut Arhire: tags: Source Tags: Attack on the supply chain, back door, download, information thief, PowerRAT, PyPI, python, tribe, xrat POST NAVIGATION When is A Man Called Otto coming to Netflix? Happy way to start the new year LEAVE A REPLY CANCEL REPLY Your email address will not be published. Required fields are marked * Comment * Name * Email * Website Save my name, email, and website in this browser for the next time I comment. Δ YOU MAY MISSED Score 10 PLAYERS WHO SET CAREER HIGH-SCORING NUMBERS January 11, 2023 everglow Live Score PRITHVI SHAW SHAW AFTER A RECORD 379 AGAINST ASSAM January 11, 2023 everglow Highlights EDMUNDS HIGHLIGHTS KEY AUTO TECH TRENDS AT CES 2023 January 11, 2023 everglow Thanksgiving DID DIAMOND OF DIAMOND AND SILK DIE FROM COVID-19?! January 11, 2023 everglow Copyright © 2023 Merkurynews Privacy Policy Theme by: Theme Horse Proudly Powered by: WordPress