We’ve got a rather interesting malicious finding this month to talk about, the one that mixes a meme with malware.
Tracked as sonatype-2023-2950, it’s a malicious PyPI package called ‘feur’ which was caught by Sonatype’s automated malware detection systems and has since been removed.
Analyzed by our rockstar senior security researcher, Ali ElShakankiry, feur’s very name led us to expand the scope of our research beyond just technical nitty gritty.
The term is, after all, a popular French meme. “Feur” is often jokingly uttered in response to “Quoi?” (What?) as the terms, when uttered together (“Quoi+feur”), would sound akin to coiffeur, which means a hairdresser. An equivalent in English could be "Scream" as a humorous response to "I" to sound like "ice cream."
As soon as the package is installed, it runs the ‘setup.py’ file contained within. The file is quite straightforward – it packs two base64-encoded strings within itself:
The first one (on line 7), establishes a reverse shell connection to an Ngrok tunnel purportedly setup by the package’s author(s):
The other encoded one-liner (line 26) actually packs an entire Windows Executable (.exe) file within itself, which is a Remote Access Trojan (RAT) [VirusTotal analysis] that runs as soon as the package is installed.
The EXE is "a PyInstaller executable intended for Windows hosts, embeds multiple Python modules – both in plaintext format and bytecode," explains ElShakankiry. “It can persist on the system and attempt to hide itself among other functionality.”
ElShakankiry dug deeper into the scripts contained within the malicious executable. These, like any other RAT, have surveillance capabilities with regards to accessing a user’s clipboard, network, webcam, or generating screenshots on the fly:
This is all in addition to being a Discord stealer.
ElShakankiry’s analysis of files further led him to a GitHub repository called ‘NullRAT’ that touts itself as an open source repository of a “next-generation of Discord RATs.” The researcher concluded this to be “an exact copy of NullRAT,” with minor modifications with regards to how scripts are run, and a lack of obfuscation.
“It's definitely more than just a Discord stealer,” explains the researcher.
“Discord is being utilized for bot coordination akin to botnet behavior. The obfuscation option using PyArmor was skipped in the build process.”
We also identified the repository associated with a ‘FeurGroup’ who appears to be behind the package. The so-called francophone “FeurGroup” indeed maintains a Discord server and a Twitter account that frequently retweets other French accounts. These accounts are live at the time of our writing:
ElShakankiry acknowledges that this appears to be a testing ground for threat actors, as we can’t imagine many developers installing ‘feur’.
“It looks like someone was just trying it out and went ahead and published it on PyPI,” says the researcher, noting the package’s notably low download count. “There's no indication of it being widely deployed by the same group.”
Granted, ‘feur’ may be nothing more than a prank, the payload it contains is very real and based on an open source info-stealing arsenal. We cannot say how the next wave of threat actors, who could easily repurpose NullRAT, would target developers and organizations of legitimate components – as we’ve seen before with cases like the CursedGrabber campaign.
Users of Sonatype Repository Firewall can rest easy knowing that such malicious packages would automatically be blocked from reaching their development builds.