botaa3 Malware Description
Another threatening package was discovered on the Python Package Index (PyPI) repository. Before it was taken down, the threat had managed to rack up around 130 downloads. The package was named 'botaa3' in a poor attempt to imitate the name 'boto3,' the widely popular Amazon Web Services (AWS) Software Development Kit (SDK) for Python.
Cybersecurity experts analyzed the code of the threat and discovered its nefarious capabilities. The botaa3 package, if deployed successfully, would provide the attackers with the ability to execute arbitrary code on the breached system, effectively taking control over it.
The botaa3 package featured several levels of obfuscation using base64-encoding and bitwise XOR encryption. In addition, it also carries the entire code of the legitimate boto3 package. In fact, the threat installs boto3 as part of its actions, in an attempt to further avoid raising any suspicion. Buried into the code also is a 'KillDate' set on November 17, 2020. After this date, the botaa3 package will no longer be operational.
One of the first actions taken by the malware is to check with its Command-and-Control (C2, C&C) server. During this step, botaa3 exfiltrates various information taken from the victim's system. The data includes the IP address, OS and architecture details, account credentials, hostname, FQDN (fully-qualified domain name) and more.
Afterward, botaa3 will wait for incoming commands. The threat actors are able to collect files or download additional ones, manipulate the file system (delete files and folders), open reverse shells, load additional Python modules and scripts, etc. The attackers also can instruct the malware to stop its activities and lay dormant.
After being notified of the presence of the botaa3 threat, the PyPI security team took action almost immediately and removed the threatening package.