Blog

Malicious PyPi package hides RAT malware, targets Discord devs since 2022

A malicious Python package targeting Discord developers with remote access trojan (RAT) malware was spotted on the Python Package Index (PyPI) after more than three years.

Named “discordpydebug,” the package was masquerading as an error logger utility for developers working on Discord bots and was downloaded over 11,000 times since it was uploaded on March 21, 2022, even though it has no description or documentation.

Cybersecurity company Socket, which first spotted it, says the malware could be used to backdoor Discord developers’ systems and provide attackers with data theft and remote code execution capabilities.

“The package targeted developers who build or maintain Discord bots, typically indie developers, automation engineers, or small teams who might install such tools without extensive scrutiny,” Socket researchers said.

“Since PyPI doesn’t enforce deep security audits of uploaded packages, attackers often take advantage of this by using misleading descriptions, legitimate-sounding names, or even copying code from popular projects to appear trustworthy.”

Once installed, the malicious package transforms the device into a remote-controlled system that will execute instructions sent from an attacker-controlled command-and-control (C2) server.

The attackers could use the malware to gain unauthorized access to credentials and more (e.g., tokens, keys, and config files), steal data and monitor system activity without being detected, remotely execute code for deploying further malware payloads, and obtain information that can help them move laterally within the network.

discordpydebug on PyPI
discordpydebug on PyPI (BleepingComputer)

​While the malware lacks persistence or privilege escalation mechanisms, it uses outbound HTTP polling instead of inbound connections, making it possible to bypass firewalls and security software, especially in loosely controlled development environments.

Once installed, the package silently connects to an attacker-controlled command-and-control (C2) server (backstabprotection.jamesx123.repl[.]co), sending a POST request with a “name” value to add the infected host to the attackers’ infrastructure.

The malware also includes functions to read from and write to files on the host machine using JSON operations when triggered by specific keywords from the C2 server, giving the threat actors visibility into sensitive data.

To mitigate the risk of installing backdoored malware from online code repositories, software developers should ensure that the packages they download and install come from the official author before installation, especially for popular ones, to avoid typosquatting.

Additionally, when using open-source libraries, they should review the code for suspicious or obfuscated functions and consider using security tools to detect and block malicious packages.

Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.


Source link

Related Articles

Back to top button
close