In the months since my last posts regarding malicious code in the PyPI repository, I made some improvements to my static code analysis tool (see Detecting Cyber Attacks on PyPI for background). As part of this effort I recently rescanned the PyPI repository and this is what I found.
While analyzing the data from the scan, I discovered an interesting PyPI package named ‘pytz3-dev’. This package is “typo-squatting” the popular PyPI package named ‘pytz’ by adding a number at the end of the package name (maybe to indicate or imply a version) and also using the Ubuntu package management convention of adding a ‘-dev’ at the end of the package name to indicate that it is the development resources for the original package. This convention is not used in Python, but someone could mistakenly install this package instead of ‘pytz’. The original ‘pytz’ package is used as a Python library for various timezone operations when working with times and dates. The author of the ‘pytz3-dev’ package seems to have taken the content of the ‘pytz’ package and republished it as ‘pytz3-dev’ with some additional malicious code. Most malicious PyPI packages I’ve analyzed before added their malicious code to the setup.py file so that it only runs during the installation of the PyPI package. However, in this case the malicious code was added to a __init__.py file in the main code base which will run every time this Python module is imported.
The malicious code seems to search for a SQLite database file used by the Discord chat application (if installed) on a Windows system. Discord uses the SQLite database for storing user configuration for the application. This SQLite database also includes a token used by the Discord application to authenticate the user. The malicious code attempts to extract this token from the database file by manually searching through the data in the file without using a SQLite API. The lack of SQLite API usage probably makes it easier to deploy the malicious code since there is no requirements on having any SQLite libraries installed on the target system. Once the Discord token is found, it is sent to a web server.
Details about the pytz3-dev Package
The ‘pytz3-dev’ package have been on PyPI since September 17th, 2018. The author seems to have copied the ‘pytz’ package code and then added malicious code that finds the Discord application’s data folder on Windows machines and then attempts to extract the Discord token from a SQLite database file. According to pypistats.org the package has been downloaded about 47 times in the last month. The package has been reported as malicious to the PyPI administrators.
Recommendations
- Uninstall the ‘pytz3-dev’ package if it is installed on your system.
- Reset your Discord token if possible.
Detailed Analysis of the Malicious Code
The malicious code (shown below) is added to the pytz3/__init__.py file at the top of the ‘timezone’ function. The malicious code is obfuscated using base64 encoding.
The malicious code uses the base64 library to decode the obfuscated code and then executes it. The decoded code is shown below. The use of ‘os.getenv(“APPDATA”)’ indicates that the malicious code is targeting Microsoft Windows systems only. Once the Discord token is extracted, it is sent to a Heroku application server.
