Fortinet’s FortiGuard Labs Uncovers Two Malicious Python Packages

Highlights:

• The first vulnerability, Zebo-0.1.0, shows advanced malware behavior, using obfuscation to hide its functionality and evade detection by security tools.
• The second vulnerability, Cometlogger-0.1, includes multiple malicious functions aimed at targeting system credentials and user data.

A recent report from Fortinet Inc.’s FortiGuard Labs highlights two newly identified malicious Python packages that present significant risks, including credential theft, data exfiltration, and unauthorized system access.

The first vulnerability, Zebo-0.1.0, exhibits advanced malware behavior, utilizing obfuscation techniques to conceal its functionality and evade detection by security tools. Its capabilities include keylogging, screen capturing, and the exfiltration of sensitive data to remote servers, posing a serious risk to user privacy and system security.

Zebo-0.1.0 leverages libraries like pynput for keylogging and ImageGrab for screenshot capture, enabling it to record keystrokes and periodically capture desktop snapshots. This functionality can expose sensitive information, including passwords and financial data. The malware stores the captured data locally before transmitting it to a Firebase database via obfuscated HTTP requests, allowing attackers to access the stolen information undetected.

The malware employs a persistence mechanism to automatically re-execute whenever the infected system boots. It achieves this by generating scripts and batch files in the Windows startup directory, allowing it to remain on the system unnoticed. This persistence makes the malware challenging to remove and enables prolonged data theft and surveillance.

The second vulnerability, Cometlogger-0.1, features various malicious functions designed to compromise system credentials and user data. It dynamically injects webhooks into code at runtime, enabling the transmission of sensitive information, such as passwords and tokens, to attacker-controlled remote servers.

Cometlogger-0.1 demonstrates advanced evasion techniques aimed at avoiding detection and hindering analysis. One such technique, anti-virtual machine detection, detects signs of sandbox environments typically used by security researchers. If VM indicators are detected, the malware halts its execution, enabling it to bypass analysis and operate undetected in real-world environments.

While both malware variants are concerning, FortiGuard Labs researchers highlight that Cometlogger-0.1 poses a greater threat due to its ability to steal a broad range of user data, including session cookies, saved passwords, and browser history. It also targets data from platforms like Discord, X, and Steam, creating opportunities for account hijacking and impersonation.

“The script (Cometlogger-0.1) exhibits several hallmarks of malicious intent, including dynamic file manipulation, webhook injection, steal information, ANTI-VM. While some features could be part of a legitimate tool, the lack of transparency and suspicious functionality make it unsafe to execute,” the researchers note.

The researchers emphasize that the most effective way to prevent infection is by thoroughly verifying third-party scripts and executables before use. Organizations are advised to deploy firewalls and intrusion detection systems to monitor for suspicious network activity, while employees should be trained to identify phishing attempts and avoid running unverified scripts.