Ryan Daws is a senior editor at TechForge Media with over a decade of experience in crafting compelling narratives and making complex topics accessible. His articles and interviews with industry leaders have earned him recognition as a key influencer by organisations like Onalytica. Under his leadership, publications have been praised by analyst firms such as Forrester for their excellence and performance. Connect with him on X (@gadget_ry) or Mastodon (@gadgetry@techhub.social)
The Socket Research Team has identified a malicious Python package named ‘fabrice’, which poses as the popular ‘fabric’ SSH automation library and steals AWS credentials from unsuspecting developers.
This discovery underscores the continuing risk of malware being delivered via deceptively named open-source libraries, following recent large-scale attacks that have targeted NPM users.
Since its live debut on the PyPI repository in 2021, ‘fabrice’ has been covertly exfiltrating AWS credentials and has accumulated over 37,000 downloads.
The legitimate ‘fabric’ library, crafted by developer bitprophet, boasts over 201 million downloads and has gained the trust of developers globally. However, ‘fabrice’ seeks to exploit that trust with payloads designed for credential theft, backdoor creation, and executing commands on specific platforms.
Socket’s report delves into the malicious activities of ‘fabrice’ on both Linux and Windows systems, offering insights into its tactics and strategies to help mitigate such threats.
The illegitimate ‘fabrice’ employs distinct strategies for executing its malicious operations based on the underlying operating system, whether Linux or Windows. Detailed analyses of these operations reveal its sophisticated and sinister designs.
Linux
On Linux systems, ‘fabrice’ employs a function termed `linuxThread()`, which is used to download, decode, and execute scripts from an external server. It specifically targets hidden directories while utilising obfuscation techniques to avoid detection.
The `linuxThread()` function attempts to create a hidden directory (`~/.local/bin/vscode`) to store its downloaded, harmful payloads, making it difficult for users to spot any anomalies.
It uses an obfuscated URL, pieced together by string concatenation, to connect to an IP address (89.44.9.227 linked to a VPN server by M247 in Paris) for downloading the scripts. The text retrieved is then parsed into multiple executable files stored within the hidden directory.
By setting execute permissions, the function runs one of these scripts (`per.sh`), which potentially lets attackers execute commands with the user’s privileges.
Windows
For Windows platforms, ‘fabrice’ uses the `winThread()` function, which relies on base64-encoded payloads to craft a malicious script execution and persistent mechanism.
Within this function are two key base64-encoded payloads, designated as ‘vv’ and ‘zz’, each decoded to perform specific malicious tasks:
- ‘vv’: Upon decoding, ‘vv’ generates a VBScript (`p.vbs`) that surreptitiously runs a hidden Python script (`d.py`) without user consent. The VBScript employs the `WScript.Shell` object to conceal execution errors, allowing harmful activities to continue unchecked.
- ‘zz’: The ‘zz’ payload builds on the threat by downloading a supposed executable (‘chrome.exe’) from the attacker’s server (the same IP) and storing it in the Downloads folder. It then establishes persistence by creating a scheduled task (‘chromeUpdate’) that executes the file at regular 15-minute intervals. Subsequently, it removes the initial `d.py` script to leave fewer traces of its activities.
Exfiltration of AWS credentials
The primary objective of ‘fabrice’ seems to be the theft of AWS credentials. This package uses the `boto3` library to gather AWS access and secret keys, which it then transmits to a remote server. By acquiring these credentials, attackers potentially unlock access to sensitive cloud resources.
This data, transmitted to a VPN endpoint, aids in obscuring the attack origins and facilitates the misuse of the stolen credentials without easily tracing the perpetrator’s identity.
Recognising the severe risk posed by ‘fabrice’, the Socket Research Team has reported this malicious package to the PyPI team for removal. Socket encourages developers to remain vigilant, diligently verify dependencies, and adopt threat detection tools to prevent any unauthorised intrusions into their critical environments.
(Photo by MontyLov)
See also: EMERALDWHALE exploits vulnerable Git configuration files
Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is co-located with other leading events including Digital Transformation Week, IoT Tech Expo, Blockchain Expo, and AI & Big Data Expo.
Explore other upcoming enterprise technology events and webinars powered by TechForge here.
Tags: amazon web services, aws, cloud, coding, cybersecurity, development, hacking, infosec, linux, package, programming, python, security, typosquatting, windows