Pytoileur: A Sneaky Threat in Disguise

Recently, a PyPI package named “pytoileur” was flagged by Sonatype’s automated malware detection systems. This package, which was tracked as sonatype-2024-1783, was downloaded 264 times before it was removed from the PyPI platform. It masqueraded as a “Cool package” and falsely claimed to be an “API Management tool written in Python.” However, its true nature was far from benign. The package was designed to exploit users by disguising itself as a legitimate tool, aiming to trick users into downloading and installing it.

Interestingly, “Pytoileur” was the only package published by a PyPI user named “PhilipsPY,” who joined the platform on May 25, 2024. The package’s “setup.py” file appeared clean at first glance, but upon closer inspection, it was clear that something was amiss. Sonatype’s security researcher, Jeff Thornhill, spotted unusual whitespace in the code, cleverly used to hide a base64-encoded payload, making it easy to overlook without scrolling to the right.

The payload was designed to download a malicious executable from an external server, targeting Windows users. The binary, “Runtime.exe,” was executed using Windows PowerShell and VBScript commands, further compromising the system by achieving persistence and deploying anti-detection measures.

The package also deployed additional suspicious executables, manipulated Windows registry settings, and contained components previously identified as spyware. One binary, “main.exe,” was equipped with information-stealing and crypto-jacking capabilities. It
Image Credit: www.sonatype.com