Malware-as-a-service hackers from Spain decided to use a public code repository to openly advertise their wares.

4 Min Read
The Python repository logo on a computer screen with code backdrop
Source: Trismegist san via Shutterstock

Researchers have discovered malware peddlers advertising an info-stealer out in the open on the Python Package Index (PyPI) — the official, public repository for the Python programming language — with only the thinnest veneer of obfuscation.

The perpetrators — whom researchers from Sonatype associated with a Spain-based malware-as-aservice (MaaS) gang called SylexSquad — gave their program a not-so-subtle name: "reverse-shell." Reverse shells are programs that hackers commonly use to run commands remotely and receive data from targeted computers.

"I think what's quite funny about this is that it's just so blatant," says Dan Conn, developer advocate at Sonatype. "Perhaps SylexSquad were advertising themselves, or they simply didn't care about being caught."

However, their brazenness doesn't end there.

Inside the 'reverse-shell' Data-Heisting Malware

Sonatype researchers did a double-take when they found a package called "reverse-shell" uploaded to a public forum. "Why would someone name a malicious package in such an blatantly obvious way?" the researchers wondered in their Malware Monthly blog post.

The program turned out to be much more than a reverse shell, in fact. That became clear when the researchers examined one of its files, called "WindowsDefender.py."

WindowsDefender.py includes various obviously named functions, including get_login_data(), get_web_history(), get_downloads(), get_cookies(), get_credit_cards(), and ImageGrab.grab(). Per the theme, the hackers had not tried hard to conceal their intentions: this was malware designed to steal information.

"With no obfuscation, [this] appears to be ... a Discord bot that executes commands and performs actions on the infected machine," according to the analysis. "The malware can retrieve cookies, take screenshots, run shell commands, steal browsing history, and send all this data to the attacker's Discord channel."

Further answers lay in another file, "setup.py." Here, there were several Spanish-language instructions to "Clone GitHub repository and execute file," "replace with URL of your GitHub repository," and "path where you want to clone the repo" — an indication that reverse-shell was a MaaS product.

Further digging uncovered multiple "Made by SylexSquad" tags scattered in the code, some of which was lightly obfuscated. SylexSquad, the researchers found, was once a hacking marketplace operating over the Sellix e-commerce platform in 2022. It has since been shut down.

Publishing so openly to a public repo may have been a way for the group to intentionally draw attention to their product. "How do we know about groups like Anonymous or LulzSec or Killnet?" Conn asks, rhetorically. "It's because they get a reputation."

But PyPI holds much more value to them than that.

Why Hackers Use Public Repos

The SylexSquad attackers aren't the only miscreants utilizing forums like PyPI and GitHub, and there are many reasons for such brazenness, according to Sonatype.

"Hosting malicious files on a public repository provides bad actors more control over them," the researchers explained in their blog. "It gives them the power of deleting, upgrading, or even doing version control of the payload."

Among other benefits, "it allows the malware to be shared a lot more widely," Conn elaborates, "and it might actually trip up, in particular, a lot of antivirus software that uses generic signatures — like, actual bytes — to store whether something is malicious or not."

In other words, rather than delivering malware upfront — which antivirus scanners can pick up on quickly — hackers can simply link to their malicious code elsewhere: "By providing a link to a GitHub, they're maybe circumventing that check,"”" he notes.

Public repositories have protective measures in place to avoid becoming a hub for hackers. Still, even the best scanners and moderators aren't perfect, and they can't be everywhere at once.

"Hackers take certain measures like encoding or otherwise obfuscating the code they host, to make it a little bit more difficult for automated engines to pick up," Juan Aguirre, security researcher at Sonatype, points out. In this case, SylexSquad encoded their malicious script as numbers, using easily reversible ASCII codes corresponding to each character.

In this case, Sonatype reported the package to the PyPI maintainers and it was taken down. But "it's just a game of cat and mouse," Aguirre says. "Someone catches them and they just run to the next spot."

Aguirre views this story in light of a broader concern with open source software — that, as long as malware authors find use in public repositories, organizations must be aware of the kinds of packages they might be sweeping up.

"It's important to understand what it is that you're running," he concludes. "This is a great case for that. You have to have a bill of materials, you've got to know what you're doing, and what dependencies you're using. If you're just blindly installing things and grabbing code you see, things like this could very easily get into your system."

About the Author(s)

Nate Nelson, Contributing Writer

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights