ZiChatBot

The threat was uncovered after a series of malicious Python packages were found on PyPI... The attacker uploaded packages designed to look like common development libraries, tricking Python developers into installing them.

To conceal the malicious package containing ZiChatBot, the attacker created another benign-looking package that included the malicious package as a dependency... The termncolor library imports the malicious colorinal library as a dependency.

The termncolor package was especially deceptive since it contained no obviously malicious code on its own. Instead, it listed the malicious colorinal package as a dependency, so anyone who installed termncolor would unknowingly trigger the full infection chain.

On Linux, the payload sits at /tmp/obsHub/obs-check-update and uses a crontab entry to keep access alive on the infected system.

The other retrieves messages containing shellcode, which ZiChatBot executes in a new thread.

system ( "chmod +x /tmp/obsHub/obs-check-update" ) system ( "echo \"5 * * * * /tmp/obsHub/obs-check-update\" | crontab - " )

In reality, each carried a dropper that silently extracted and installed ZiChatBot during the normal library import process. The code loads the dropper into the host Python process.

The code actually loads the terminate.dll file into the Python process and then invokes the DLL’s exported function envir... The Windows version of ZiChatBot is a DLL file (libcef.dll) that is loaded by the legitimate executable vcpktsvr.exe.

Once a Python user downloads and installs the colorinal-0.1.7-py3-none-win_amd64.whl wheel package file, or installs it using the pip tool... if the colorinal library is imported into the victim’s project, the Python script file... will be executed first.

On Windows systems, once any of the first two packages is installed, the malicious code extracts a DLL dropper ("terminate.dll") and write it to disk. At the time the library is imported into a project, the DLL is loaded, acting as a dropper for ZiChatBot.

On Linux, the payload sits at /tmp/obsHub/obs-check-update and uses a crontab entry to keep access alive on the infected system.

The Windows version of ZiChatBot is a DLL file named libcef.dll... It establishes persistence by writing a registry auto-run entry, ensuring it restarts when the user logs in.

On Linux, the payload sits at /tmp/obsHub/obs-check-update and uses a crontab entry to keep access alive on the infected system.

The Windows version of ZiChatBot is a DLL file named libcef.dll... It establishes persistence by writing a registry auto-run entry, ensuring it restarts when the user logs in.

The dropper used AES encryption in CBC mode to hide sensitive strings and embedded payloads.

The attacker uploaded packages designed to look like common development libraries... The packages, uuid32-utils, colorinal, and termncolor, appeared harmless based on their listed descriptions.

After deploying ZiChatBot, it used shellcode to self-delete, wiping traces of the initial infection.

On Windows systems, once any of the first two packages is installed, the malicious code extracts a DLL dropper ("terminate.dll") and write it to disk. At the time the library is imported into a project, the DLL is loaded, acting as a dropper for ZiChatBot.

One pair sends basic system information about the infected machine back to the attacker.

The Linux version of the shared object dropper ("terminate.so") plants the malware in the "/tmp/obsHub/obs-check-update" path and configures a crontab entry.

ZiChatBot takes an inventive but dangerous approach to command and control by routing all activity through Zulip’s public REST API. Rather than contacting a suspicious external server, the malware sends HTTP requests to a legitimate service.

ZiChatBot uses the REST APIs from Zulip, a public team chat application, as its command and control server... it initiates a series of sequential HTTP requests to the Zulip REST API.

A newly discovered malware called ZiChatBot has been found quietly using the REST APIs of a legitimate team chat application called Zulip to receive and carry out commands from its operators.

ZiChatBot does not communicate with a dedicated command and control (C2) server, but instead uses a series of REST APIs from the public team chat app Zulip as its C2 infrastructure.

Once installed, these packages silently dropped the ZiChatBot payload onto the victim’s system without raising obvious alerts.