xFileSyncerx: Malicious Package with Wiper Components Discovered on PyPI
In a recent investigation, ReversingLabs researchers uncovered a malicious open-source package on the Python Package Index (PyPI) called xFileSyncerx, which contained dangerous “wiper” components. With close to 300 downloads, this package raised alarms about the growing threat landscape within open-source repositories. However, further investigation revealed that this package was part of a cybersecurity professional’s “red team” penetration test for a client’s Security Operations Center (SOC).
The presence of code obfuscation in xFileSyncerx flagged it for further inspection. The package, posted in April by a newly created PyPI account, contained a malicious downloader that retrieved second-stage malware from a remote URL. This URL was hidden using bitwise shifts, making detection more difficult.
The xFileSyncerx package included a second-stage malware, s2.py, actively maintained on GitHub by an account named d3duct1v. This script encrypts files in the /home directory of compromised systems, excluding hidden files and directories. Initially, only the ‘.ssh’ directory was excluded, but later commits broadened this exclusion. Despite its capabilities, the malware did not exfiltrate data, suggesting it was designed more to disrupt than to steal.
Further analysis showed that s2.py attempted to spread across local networks using hardcoded SSH credentials, downloading and executing a third-stage malware, s3.py, which contained only wiper functionality. This pointed to a potential Internet of Things (IoT) worm, though further investigation revealed a different story.
Upon reaching out to the d3duct1v account, ReversingLabs learned that the package was created for a penetration test. The author, a U.S.-based penetration tester, explained that the xFileSyncerx package was designed to test the client’s SOC. The hardcoded IP addresses and credentials were specific to the client’s environment, and the “BellJ1” username was a coincidence, not a reference to Bell J1 doorbell cameras.
The discovery of xFileSyncerx underscores the complexities of monitoring open-source repositories. As the line between goodware, malware, and grayware blurs, cybersecurity professionals must remain vigilant. By implementing best practices and advocating for clearer guidelines, the industry can better navigate the challenges posed by the ever-evolving threat landscape in the open-source ecosystem.
