A new malicious Python package, named colourfool, has been found to contain a fully-featured information stealer and remote access trojan. The package was identified by Kroll's Cyber Threat Intelligence team, with the company calling the malware Colour-Blind.
"The 'Colour-Blind' malware points to the democratization of cybercrime that could lead to an intensified threat landscape, as multiple variants can be spawned from code sourced from others," Kroll researchers Dave Truman and George Glass said in a report.
Colourfool, like other rogue Python modules discovered in recent months, conceals its malicious code in the setup script, which points to a ZIP archive payload hosted on Discord. The file contains a Python script (code.py) that comes with different modules designed to log keystrokes, steal cookies, and even disable security software.
The malware, besides performing defense evasion checks to determine if it's being executed in a sandbox, establishes persistence by means of a Visual Basic script and uses transfer[.]sh for data exfiltration." As a method of remote control, the malware starts a Flask web application, which it makes accessible to the internet via Cloudflare's reverse tunnel utility 'cloudflared,' bypassing any inbound firewall rules," the researchers said.