Researchers of Fortinet have uncovered two malicious packages in the Python Package Index (Pypi) repository. These packages, named ZEBO and Cometlogger, were designed to steal confidential information from infected devices. Despite being downloaded 118 and 164 times respectively, the packages have since been removed. The majority of downloads were reported from the USA, China, Russia, and India.
ZEBO is a prime example of malicious software, equipped with tools for surveillance, data exfiltration, and unauthorized control. Researcher Jenna Van revealed that Cometlogger also exhibits malicious behavior, including dynamic file changes, injection of web hooks, data theft, and evasion techniques against virtual machines.
The ZEBO package employs tactics like line encryption in hexadecimal format to disguise the URL of its S2 server. It is capable of capturing keystrokes using the Pynput library and taking screenshots every hour through the Imagegrab library. These images are stored locally and then uploaded to the IMGBB image hosting service using an API key from the C2 server. ZEBO also installs a script on Windows to ensure its continuous operation.
Cometlogger is a more sophisticated tool that can steal files, passwords, tokens, and data from popular applications like Discord, Steam, Instagram, TikTok, and more. It also gathers system metadata, network information, a list of running processes, and clipboard contents. To evade detection, Cometlogger checks for virtual environments and terminates browser-related processes for complete file access. Its asynchronous task execution enables rapid extraction of large data volumes.
Security experts advise caution when dealing with such scripts, as their opaque nature and suspicious behavior make them unsafe. It is crucial to thoroughly review the code before execution and avoid engaging with programs from untrustworthy sources.