Kroll has identified a full-featured information stealer and remote access tool in the Python Package Index (PyPI) that it is calling “Colour-Blind”.
In this blog post, we outline what the Colour-Blind trojan is, how it works and what it tells us about the changing nature of malware.
What is the Colour-Blind trojan?
Colour-Blind is a fully featured information stealer and remote access tool written in Python. Kroll made the discovery as part of a project to gain greater awareness of initial attack vectors outside of the common phishing and web application exploitation. Kroll’s Cyber Threat Intelligence team has developed a tool to enable the enhanced monitoring of the Python Package Index (PyPI) to find and obtain malicious packages that are added to it.
The importance of this discovery is reflected by coverage in the security press, with features in The Register and Security Boulevard. The “Colour-Blind” malware highlights the continued democratisation of cybercrime. It has the potential to lead to an intensified threat landscape, as multiple variants can be spawned from code sourced from others.
Colour-Blind remote access tool functionality
The web application serves as a control panel for the malware and the available options indicate functionality of a remote access trojan . The web code for this page is basic, giving rise to our tracking name for this malware “Colour-Blind,” based on the original PyPI package name (“colourfool”) and rudimentary design choices made here.
Colour-Blind and the development of malware
Our analysis of the Colour-Blind malware reveals some interesting insights:
- The combination of obfuscation alongside blatant malicious code indicates that it is unlikely that all the code was developed by a single entity.
- The type of defense evasion behavior exhibited by the Colour-Blind malware adds strength to the hypothesis that the code has been plagiarized from multiple sources, and that the final developer might not be particularly sophisticated in their methods.
- The persistence mechanism the malware uses is to add a Visual Basic (VB) script named “Essentials.vbs” to the “Start Up” folder within the user’s “Start Menu”. The VB script runs a Windows batch file that the malware places in the same folder as “python.exe”. This batch file will start the malware using Python every time the user logs in.
- The Colour-Blind malware also demonstrates how the common functionality of malware can easily be written in modern languages such as Python.
In response, Kroll will continue to monitor open-source language repositories for further malware strains in order to enable further detection opportunities.
Follow these key steps to help ensure your organisation is better defended against the Colour-Blind trojan and other malware:
- Ensure that all imported libraries are verified by developers
- Consider deploying sandboxes as part of the development process in order to build targets before they are pushed to production
- Use virtualised environments for development tasks that can be rapidly rebuilt should a malicious package be installed