Fortinet warns of malicious Python packages targeting credentials and user data – News

A new report out today from Fortinet Inc.’s FortiGuard Labs is warning of two newly discovered malicious Python packages that pose a high risk of credential theft, data exfiltration and unauthorized system access.

The first vulnerability, Zebo-0.1.0, was found to demonstrate sophisticated malware behavior, including obfuscation techniques to hide its functionality and make it difficult for security tools to identify it as malicious. The malware includes keylogging, screen capturing and support for the exfiltration of sensitive data to remote servers, posing a severe threat to user privacy and system integrity.

Zebo-0.1.0 uses libraries such as pynput for keylogging and ImageGrab for capturing screenshots. That allows the malware to record every keystroke and periodically take snapshots of the user’s desktop, potentially exposing passwords, financial information and other sensitive data. The malware stores the data locally before transmitting it to a Firebase database via obfuscated HTTP requests, ensuring the stolen information can be accessed by the attackers without detection.

The malware also uses a persistence mechanism to ensure that it re-executes every time the infected system starts up. It does so by creating scripts and batch files in the Windows startup directory. They allow it to maintain a presence on the system without the user’s knowledge, making it difficult to remove and also enabling long-term data theft and surveillance.

The second vulnerability, Cometlogger-0.1, comes with a range of malicious functions that target system credentials and user data. The malware dynamically injects webhooks into code during runtime to allow it to send sensitive data, including passwords and tokens, to remote servers controlled by the attackers.

Cometlogger-0.1 was also found to exhibit capabilities designed to evade detection and disrupt analysis. One capability, anti-virtual machine detection, checks for signs of sandbox environments often used by security researchers, and if it detects VM indicators, the malware ceases execution, allowing it to bypass analysis and remain undetected in live environments.

Though both forms of identified malware are noted as bad, the FortiGuard Lab’s researchers say Cometlogger-0.1 goes to another level with an ability to steal a wide array of user data, including session cookies, saved passwords and browser history. It can also target data from services such as Discord, X and Steam, opening the door to account hijacking and impersonation.

“The script (Cometlogger-0.1) exhibits several hallmarks of malicious intent, including dynamic file manipulation, webhook injection, steal information, ANTI-VM,” the researchers note. “While some features could be part of a legitimate tool, the lack of transparency and suspicious functionality make it unsafe to execute.”

The researchers conclude by noting that the best way to prevent infection is to always verify third-party scripts and executables before running them. Organizations should also implement firewalls and intrusion detection systems to identify suspicious network activity, and employees should be trained to recognize phishing attempts and to avoid executing unverified scripts.

Image: News/Ideogram