PyPI repo poisoned with "Colour-Blind" RAT

Here are the key takeaways from the Colour-Blind remote access trojan, with insights from supply chain security experts

John P. Mello Jr.
Blog Author

John P. Mello Jr., Freelance technology writer.


Malicious actors are increasingly dropping malware packages into open-source software repositories in the hope that developers will spread that malicious code throughout their applications. The latest case in point: Kroll's recent discovery of a full-featured information stealer and remote access trojan (RAT) into the Python Package Index (PyPI).

Kroll, a risk and financial advisory company, unearthed the malware, which it dubbed Colour-Blind, through a tool it developed to gather more information about initial attack vectors.

Colour-Blind shows how easily hackers can write the common functions of malware into a modern language, such as Python, Kroll researchers Dave Truman and George Glass asserted in a company blog. It is, they said, a harbinger of rising software supply chain risk. 

"This malware also provides insights into how the democratization of cybercrime could lead to an intensified threat landscape, as multiple variants can be spawned from code sourced from others."
Dave Truman and George Glass

Cybercriminals have been refining their business models for some time, simplifying what it takes to be a threat actor through crime-as-a-service offerings on the dark web, said Mike Parkin, a senior technical engineer at Vulcan Cyber. Brokers can mix and match attack components to meet a client's specific needs, "Only the clients here are cybercriminals who are looking to attack a specific sector, target, or region," he said.

Threat actors are always looking for new attack vectors, vulnerabilities, and techniques to reach their goals, Parkin added. Whether those actors are criminal gangs or state-sponsored threats, the attacks will be against whatever threat surface is weakest at the time, he said.

"Here, it's code repositories. When those holes are closed, the attackers will find new ones."
Mike Parkin

Here's what you need to know about the Colour-Blind RAT, with insights and takeaways from supply chain security experts.

Colour-Blind: Similar to W4SP stealer

The functions and techniques deployed by the Colour-Blind RAT are similar to those found in a rash of malicious PyPI packages that Phylum, Checkmarx and ReversingLabs discovered in November, 2022. At the time, those infected packages were spreading the W4SP Stealer malware.

Over the last few months, almost every piece of malware injected into the PyPI was attempting to steal cookies, passwords, tokens, and wallets, but a distinguishing feature of W4SP is its use of Flask, Cloudflare's reverse tunnels and transfer.sh for data exfiltration by the threat actors linked to the malware.

The similarities between Colour-Blind and W4SP seem too big to be a coincidence,  said ReversingLabs security researcher Karlo Zanki.

"Even the quite specific usage of Visual Basic script to acquire persistence, which is not commonly seen in Python malware, has been observed in both cases. The obfuscation strings containing 0-s and O-s, while not so uncommon, have also already been seen in the previous malware samples related to the W4SP group."
Karlo Zanki

Frankenstein theory debunked

The Colour-Blind malware was a kind of "Frankenstein" application cobbled together from a variety of other programs, Kroll researchers concluded. Some parts of the software were blatantly malicious, such as a function that attempted to avoid antivirus detection by adding the malware's file location to the exclusion path for Microsoft Defender. Other parts of the code contained weak attempts at obfuscation.

Zanki is skeptical of the Frankenstein theory, however.

"Even though the W4SP group usually open-sources their malware, they are also maintaining a private malware collection. The earliest malware package from our research was published by none other than billythegoat356 — a member of the W4SP group."
—Karlo Zanki

Colour-Blind's direct relation to the mentioned group doesn't exist, Zanki said. While there remains a possibility that a new actor created this malware by gluing together various malware pieces, "I am more inclined to the theory that this is the work of the W4SP crew," he said.  

Mind your open source package use

Organizations should be careful when using open-source software packages, Zanki said. He recommends security mechanisms for monitoring third-party dependencies, and security assessments for every software package in use or under development.

The order of those is assessments is also key, and should be performed before a package is tested. "A lot of malicious packages execute their functionality upon installation," he said.

Application security teams should also be aware of the larger trend of supply chain attacks moving up the chain to development teams, as reported in ReversingLabs' State of Software Supply Chain Security.

"Packages often target developers, not necessarily end-users of software. If you don't possess adequate skills to perform such security assessments, use dedicated security tools."
—Karlo Zanki

Lessons from recent supply chain attacks

Malicious actors are continuously improving their techniques and skills — and they won't stop, Zanki said.

Threat actors always like to achieve their goals with the least amount of work necessary, and that makes the supply chain an attractive target, Parkin added.

"If an attacker can get their malicious code into a well-known repository, and somehow get people to use it, they're bypassing several steps in the attack chain by having the target do a large part of the work for them."
—Mike Parkin

The increase in supply chain attacks, driven by the potentially high value data at stake, such as secrets in the recent CircleCI hack, is concerning. But the automation of attacks is even more worrying, Zanki said.

"The list of the sensitive data attackers aim to steal is continuously expanding. There aren't too many security mechanisms preventing them from publishing to public software repositories, and the latest campaigns, which contain a large number of packages, suggest that the malware is getting published in an automated way."
—Karlo Zanki