Colour-Blind RAT
Cybersecurity researchers have uncovered a threatening Python package uploaded to the Python Package Index (PyPI), containing a harmful information stealer and Remote Access Trojan (RAT). The package was named 'colourfool' and was identified by a security research team, who named the malware threat itself 'Colour-Blind.'
This incident highlights the growing trend of democratized cybercrime, where ill-minded actors can easily access and repurpose existing code for their own intentions. The researchers explained that the democratization of the online crime could lead to an intensified threat landscape, as attackers can create multiple variants of their malware by leveraging code sourced from others.
Like other recent rogue Python modules, Colour-Blind uses a technique to conceal its bad code in the setup script. The setup script then points to a ZIP archive payload that is hosted on the legitimate Discord platform. This allows the malware to evade detection by some traditional security measures, making it more difficult to detect and remove.
The Colour-Blind RAT Carries the Code for the 'Snake' Game
The malware utilizes a persistence mechanism that involves adding a Visual Basic (VB) script named 'Essentials. vbs' to the 'Start Up' folder in the user's 'Start Menu.' Upon login, the VB script executes a Windows batch file that the malware injects in the same folder as 'python.exe.' This batch file starts the malware using Python every time the user logs in, ensuring that the malware remains active and present on the system.
The malware has a file exfiltration function that leverages 'transfer[.]sh,' an anonymous file transfer website that is increasingly popular among threat actors. The malware also contains code related to social engineering, which generates an error message that attempts to persuade the user to re-run the malware as an administrator. Additionally, the malware contains an embedded version of the 'Snake' game that appears to be a direct copy of code from a GitHub repository. However, this game doesn't serve any apparent purpose and doesn't start when executed.
The malware triggers multiple subprocesses, which include threads for collecting cookies, passwords, and cryptocurrency wallets. To enable remote control, the malware starts a Flask web application. The threat then makes the application accessible to the internet via Cloudflare's reverse tunnel utility named 'cloudflared.' By using this method, the malware can bypass any inbound firewall rules and maintain a persistent presence on the compromised system.
The Expansive Set of Threatening Capabilities Found in the Colour-Blind RAT
The Colour-BLind RAT and its various harmful functionalities can be controlled via the Web application. The tokens function can dump login tokens for several applications that use chromium via electron.io or chromium directly as an application framework, which includes Discord. The passwords function dumps extracted passwords from web browsers to the screen, while the cookies function dumps all browser cookies to the screen. The keys function dumps captured data to key loggers and show it on the screen.
Among the capabilities of the RAT also is the applications function, which provides a list of the currently active applications and a button to terminate them. The data dump function sends all captured data to the C2 URL. The screen function shows a screenshot of the user's desktop and allows for rudimentary interaction, such as key presses. The threat can also look up IP information and display it on the screen using a different function. It can open a browser to a given webpage and run commands via the operating system. Cryptocurrency wallet information can be harvested from the breached device via the phantom/Metamask function.
However, the Colour-Blind RAT can perform even more actions on the infected systems, such as using the /camera endpoint to spy on an unsuspecting user via a web camera. There also is various endpoints starting with 'hvnc,' which deal with a hidden desktop created on the victim's machine. The /hvncmanager function allows for the starting of a Web browser on this hidden desktop. The /hvnc function is used to open the hidden desktop and it allows the threat actors to interact with it. The ability to open a web browser in such a hidden manner can be exploited by the threat actors to access or interact with the victim's internet accounts. The /hvncitem function enables the attackers to execute custom commands on the hidden desktop via manipulation of the URL parameter 'start.'
