Malicious PyPI Packages Zebo and Cometlogger: What to Know, A Quick Look.

  • Home » Malicious PyPI Packages Zebo and Cometlogger: What to Know, A Quick Look.
Malicious PyPI Packages
Featured News Latest News Latest Vulnerabilities Recommended News Security , , , , ,

Malicious PyPI Packages Zebo and Cometlogger: What to Know, A Quick Look.

Cybersecurity researchers recently found two harmful packages on the Python Package Index (PyPI) repository. These packages, named zebo and cometlogger, were created to steal private information and take over social media accounts.

Codes_Server_Chromebook_Masahiko_Ohkubo-1024x768-1 Malicious PyPI Packages Zebo and Cometlogger: What to Know, A Quick Look.

Discovery Details

Fortinet FortiGuard Labs identified these packages after they had already been downloaded 118 and 164 times, respectively.

Zebo: The Keystroke Logger

Hiding Techniques

Zebo uses advanced methods to avoid being detected. It hides communication URLs using hex-encoded strings and relies on HTTP requests to communicate with a Firebase database.

Logging Keystrokes

The malware records every key pressed by the user using the pynput library. It saves these keystrokes in a local file before sending them to a remote server. Additionally, Zebo takes screenshots periodically using the ImageGrab library and uploads them to an external server.

Staying Active

To ensure it keeps running, Zebo creates a script and a batch file in the Windows Startup folder. This means the malware will run every time the system restarts, posing a long-term threat. The package also embeds webhook URLs into files, allowing remote attackers to execute commands or extract data.

Cometlogger: The Social Media Hijacker

Gathering Data

Cometlogger collects a wide range of data. It gathers cookies, saved passwords, session data, and credentials from browsers and cryptocurrency wallets. By decrypting browser files, it retrieves card details and user credentials from platforms like Discord, Instagram, and Twitter. The malware also collects system details, network configurations, and clipboard contents while avoiding detection in virtual machine environments.

Compressing and Avoiding Detection

Cometlogger uses UPX (Ultimate Packer for Executables) to compress its components, hiding malicious code from antivirus detection. This tactic often shields harmful behaviors from analysis tools. The package also uses methods to avoid being detected in virtual machines, checking for indicators like “VMware” or “VirtualBox.” If detected, the malware shuts down to evade detection by sandboxed environments typically used by researchers.

Implications and Recommendations

Developer Caution

The discovery of these malicious packages highlights the ongoing security challenges in public code repositories. Developers are advised to be careful when incorporating third-party packages into their projects. Security researchers recommend thorough code review before execution and avoiding unverified script sources.

User Vigilance

The incident underscores the importance of caution when using open-source software repositories. Users and developers must remain aware of the potential risks and take appropriate measures to protect their sensitive information.

Conclusion

The uncovering of zebo and cometlogger serves as a reminder of the ever-changing threat landscape in cybersecurity. By staying informed and adopting best practices, the community can better defend against such malicious activities.

You think you have a story worth everyone’s time? SUBMIT A STORY and we will publish it

Share this content:

Tag

Related Posts

Post Comment