InfoSecBulletin Cybersecurity for mankind
The Socket Research Team has discovered a malicious package named “fabrice,” pretending to be the legitimate fabric SSH automation library. Since its introduction on PyPI in 2021, fabrice has been stealing AWS credentials from users who mistakenly installed it. With over 37,000 downloads, this incident underscores ongoing risks of malware in open-source repositories.
The malicious fabrice package employs various techniques to deliver its payload, with different malicious actions tailored for Linux and Windows environments:
Eight New ICS Advisories released by CISA
Authority Denies
Hacker claim ransomware attack on Indonesia’s state bank BRI
London-based company “Builder.ai” reportedly exposed 1.2 TB data
(CVE-2024-12727, CVE-2024-12728, CVE-2024-12729)
Sophos resolved 3 critical vulnerabilities in Firewall
“Workshop on Cybersecurity Awareness and Needs Analysis” held at BBTA
CVE-2023-48788
Kaspersky reveals active exploitation of Fortinet Vulnerability
U.S. Weighs Ban on Chinese-Made Router TP-Link: WSJ reports
Daily Security Update Dated: 18.12.2024
CISA released best practices to secure Microsoft 365 Cloud environments
Data breach! Ireland fines Meta $264 million, Australia $50m
On Linux Systems:
The package uses a function called linuxThread() to download and execute hidden scripts from an external server. According to the research, “the linuxThread() function creates a hidden directory (~/.local/bin/vscode) where it stores downloaded payloads”, making detection difficult. Additionally, the package connects to a VPN server at IP address 89.44.9.227 to download these malicious scripts, using obfuscation techniques to avoid detection.
On Windows Systems:
The Windows version, using the winThread() function, relies on base64-encoded payloads stored in variables vv and zz. The research explains that “the vv variable decodes into a VBScript (p.vbs) that runs a hidden Python script (d.py)”, which then downloads further malicious executables. The zz script establishes persistence by scheduling tasks to re-execute the malicious code, maintaining the attack’s presence even after system reboots.
Fabrics primarily aims to steal AWS credentials. Using the boto3 library, it grabs AWS access and secret keys from compromised environments. After collecting these keys, they are sent to a VPN endpoint, making it difficult for victims to trace. As noted in the report, this gives attackers access to sensitive cloud resources, risking unauthorized data exposure.
The malware is platform-agnostic, using a test() function to identify the operating system and run the relevant malicious thread for both Linux and Windows users. This design expands its potential impact across different systems.
Typosquatting attacks, where harmful packages mimic trusted libraries, pose a significant risk in open-source software. The legitimate fabric library by bitprophet has over 201 million downloads and is widely trusted.
Attackers exploited this trust with a malicious package named fabrice, leading to credential theft and backdoor installations on unsuspecting systems.
