Colour-Blind, a fully featured info stealer and RAT in PyPI

Pierluigi Paganini March 06, 2023

Experts discovered a fully featured information stealer, tracked as ‘Colour-Blind’ in the Python Package Index (PyPI).

Researchers from Kroll’s Cyber Threat Intelligence team discovered a malicious Python package uploaded to the Python Package Index (PyPI) that contained a fully-featured information stealer and remote access trojan tracked as Colour-Blind.

Below is the list of capabilities supported by the RAT through the control interface includes:

  • Tokens: Dumps to the screen login tokens for several application that use chromium via electron.io or chromium directly as an application framework, a notable example being Discord.
  • Passwords: Dumps passwords extracted from web browsers to screen
  • Cookies: Dumps all browser cookies to screen
  • Keys: Dumps to key loggers captured data to screen
  • Applications: Provides a list of running applications and a button to terminate them
  • Data Dump: Sends all captured data to the C2 URL
  • Screen: Shows screenshot of the user desktop and allows for rudimentary interaction such as key presses
  • IP: Looks up IP information and displays it to screen (using a different function to earlier)
  • Open Browser: Opens a browser to a given webpage
  • Run: Runs a command via operating system
  • Text Input: Sends keystroke to the machine
  • Phantom/Metamask: Steals cryptocurrency wallet information

The malicious package is named colourfool. The experts pointed out that the Colour-Blind malware “points to the democratization of cybercrime” allowing threat actors to develop their own variants based on the shared source code.

The package contained a single Python file of note, which is a large “setup.py” that was modified four days before its discovery. The script was developed to download a file from a remote server, then silently execute it. 

The experts noticed something suspicious in the function that provided the URL for downloading the malware.

“It attempted to get a URL from a pastebin[.]com snippet and failing this returned a hardcoded discord content delivery network URL. Within a legitimate library, the use of hardcoded URLs for downloading executable resources “on the fly” is uncommon.” reads the report published by Kroll. “This is particularly true when those URLs aren’t persistent and unlikely to be reachable after a short period of time.”

The second stage archive contained only one file “code.py” which is over 300 kilobytes (KB) in size.

This second script includes multiple modules that allows the malware to conduct malicious activity such as keylogging, stealing cookies, and disabling security products.

The malware performs some checks to avoid being executed in a sandbox, but it has a light obfuscation. The malware maintains persistence by adding a Visual Basic (VB) script named “Essentials.vbs” to the “Start Up” folder within the user’s “Start Menu.”

The malware relies on the anonymous file transfer service“transfer[.]sh,” to exfiltrate stolen data.

“The malware triggers multiple subprocesses, including threads for cookies, passwords and cryptocurrency wallet theft.” continues the report. “As a method of remote control, the malware starts a Flask web application, which it makes accessible to the internet via Cloudflare’s reverse tunnel utility “cloudflared,” bypassing any inbound firewall rules.”

Kroll highlights that the interesting features supported by Colour-Blind malware can easily be written in modern languages such as Python.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Colour-Blind)



you might also like

leave a comment