Malicious Python packages exploit Gmail and WebSockets

Socket analysts reported their findings to the Python Package Index (PyPI), and malicious packages were removed from it. However, some of them had been present on PyPI for more than four years, and one package was downloaded more than 18,000 times.

Malware was identified in the following packages:

• Coffin-Codes-Pro (9000 downloads);
• Coffin-Codes-NET2 (6200 downloads);
• Coffin-Codes-NET (6100 downloads);
• Coffin-Codes-2022 (18,100 downloads);
• Coffin2022 (6500 downloads);
• Coffin-Grave (6500 downloads); and 
• cfc-bsb (2900 downloads).

The malicious Coffin packages pose as the legitimate Coffin adapter that integrates Jinja2 templates into Django projects.

Their malicious functionality includes covert remote access and data exfiltration via Gmail.

The packages use hardcoded credentials to log into the Gmail SMTP server (smtp.gmail.com) and transmit information collected on victim hosts to their operators, thus, enabling them to remotely access compromised systems. Since Gmail is a trusted resource, firewalls and EDR systems are unlikely to consider such activity suspicious.

After sending the stolen data by email, the malware connects to the remote server over SSL using WebSocket and receives instructions on setting up an encrypted bidirectional tunnel from the host to the attacker.

Using the Client class, the malware tunnels traffic from the remote host to the local system to provide access to the internal admin panel and API and perform such operations as file transfer, email theft, execution of shell commands, collection of credentials, and lateral movement.

Based on the email addresses used (e.g. blockchain.bitcoins2020@gmail.com), Socket analysts conclude that the primary purpose of the malicious packages is to steal cryptocurrency, especially taking that similar tactics were previously used to steal Solana private keys.