UPDATED 19:19 EDT / DECEMBER 23 2024

SECURITY

Fortinet warns of malicious Python packages targeting credentials and user data

A new report out today from Fortinet Inc.’s FortiGuard Labs is warning of two newly discovered malicious Python packages that pose a high risk of credential theft, data exfiltration and unauthorized system access.

The first vulnerability, Zebo-0.1.0, was found to demonstrate sophisticated malware behavior, including obfuscation techniques to hide its functionality and make it difficult for security tools to identify it as malicious. The malware includes keylogging, screen capturing and support for the exfiltration of sensitive data to remote servers, posing a severe threat to user privacy and system integrity.

Zebo-0.1.0 uses libraries such as pynput for keylogging and ImageGrab for capturing screenshots. That allows the malware to record every keystroke and periodically take snapshots of the user’s desktop, potentially exposing passwords, financial information and other sensitive data. The malware stores the data locally before transmitting it to a Firebase database via obfuscated HTTP requests, ensuring the stolen information can be accessed by the attackers without detection.

The malware also uses a persistence mechanism to ensure that it re-executes every time the infected system starts up. It does so by creating scripts and batch files in the Windows startup directory. They allow it to maintain a presence on the system without the user’s knowledge, making it difficult to remove and also enabling long-term data theft and surveillance.

The second vulnerability, Cometlogger-0.1, comes with a range of malicious functions that target system credentials and user data. The malware dynamically injects webhooks into code during runtime to allow it to send sensitive data, including passwords and tokens, to remote servers controlled by the attackers.

Cometlogger-0.1 was also found to exhibit capabilities designed to evade detection and disrupt analysis. One capability, anti-virtual machine detection, checks for signs of sandbox environments often used by security researchers, and if it detects VM indicators, the malware ceases execution, allowing it to bypass analysis and remain undetected in live environments.

Though both forms of identified malware are noted as bad, the FortiGuard Lab’s researchers say Cometlogger-0.1 goes to another level with an ability to steal a wide array of user data, including session cookies, saved passwords and browser history. It can also target data from services such as Discord, X and Steam, opening the door to account hijacking and impersonation.

“The script (Cometlogger-0.1) exhibits several hallmarks of malicious intent, including dynamic file manipulation, webhook injection, steal information, ANTI-VM,” the researchers note. “While some features could be part of a legitimate tool, the lack of transparency and suspicious functionality make it unsafe to execute.”

The researchers conclude by noting that the best way to prevent infection is to always verify third-party scripts and executables before running them. Organizations should also implement firewalls and intrusion detection systems to identify suspicious network activity, and employees should be trained to recognize phishing attempts and to avoid executing unverified scripts.

Image: SiliconANGLE/Ideogram

A message from John Furrier, co-founder of SiliconANGLE:

Support our open free content by sharing and engaging with our content and community.

Join theCUBE Alumni Trust Network

Where Technology Leaders Connect, Share Intelligence & Create Opportunities

11.4k+  
CUBE Alumni Network
C-level and Technical
Domain Experts
15M+ 
theCUBE
Viewers
Connect with 11,413+ industry leaders from our network of tech and business leaders forming a unique trusted network effect.

SiliconANGLE Media is a recognized leader in digital media innovation serving innovative audiences and brands, bringing together cutting-edge technology, influential content, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — such as those established in Silicon Valley and the New York Stock Exchange (NYSE) — SiliconANGLE Media operates at the intersection of media, technology, and AI. .

Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a powerful ecosystem of industry-leading digital media brands, with a reach of 15+ million elite tech professionals. The company’s new, proprietary theCUBE AI Video cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.