Info-stealer, RAT discovered in malicious PyPi package

Kroll's Cyber Threat Intelligence team discovered that the malicious "colourfool" package uploaded to the Python Package Index repository contained the Colour-Blind information stealer and remote access trojan, reports The Hacker News. Aside from conducting defense evasion checks, Colour-Blind also ensures persistence through a Visual Basic script and exfiltrates data through transfer[.]sh, according to Kroll researchers Dave Truman and George Glass. "As a method of remote control, the malware starts a Flask web application, which it makes accessible to the internet via Cloudflare's reverse tunnel utility 'cloudflared,' bypassing any inbound firewall rules," noted researchers. Meanwhile, the RAT was found to feature password gathering, application terminating, screenshot capturing, keystroke logging, arbitrary web page opening, command executing, cryptocurrency wallet data gathering, and web camera hijacking capabilities. "The 'Colour-Blind' malware points to the democratization of cybercrime that could lead to an intensified threat landscape, as multiple variants can be spawned from code sourced from others," researchers said.