OceanLotus suspected of using PyPI to deliver ZiChatBot malware

What Happened

Hackers suspected to be part of the OceanLotus group have uploaded malicious software packages to PyPI, a popular repository for Python developers. If a developer downloads these fake packages, their Windows or Linux computer becomes infected with a new malicious program called ZiChatBot. This matters because the malware hides its communications by using a legitimate chat app called Zulip, making it hard to detect while it waits for commands from the attackers. Developers should ensure they are downloading legitimate packages, and security teams should block the known malicious chat app address used by the attackers.

Key Takeaways

• OceanLotus is suspected of conducting a PyPI supply chain attack to deliver a new malware family named ZiChatBot.
• The campaign uses malicious wheel packages (uuid32-utils, colorinal, termncolor) targeting both Windows and Linux platforms.
• ZiChatBot uses the public team chat application Zulip's REST APIs as its C2 infrastructure to evade detection.
• The malware establishes persistence via Registry Run keys on Windows and crontab on Linux.
• The malicious packages have been removed from PyPI, and the associated Zulip organization has been deactivated.

Affected Systems

• Windows
• Linux
• Python environments

Attack Chain

The attack begins with the victim installing a malicious Python package (e.g., colorinal or uuid32-utils) via pip. Upon importing the library, an embedded Python script loads a dropper (terminate.dll or terminate.so) into the Python process. The dropper decrypts and deploys the ZiChatBot payload (vcpktsvr.exe and libcef.dll on Windows, or an ELF file on Linux) and establishes persistence via Registry Run keys or crontab. Finally, ZiChatBot executes and communicates with a Zulip chat server via REST APIs to receive and execute shellcode.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

The article does not provide specific detection rules (YARA, Sigma, etc.) but mentions that Kaspersky products have been updated to detect the relevant files.

Detection Engineering Assessment

EDR Visibility: High — EDR solutions can easily monitor process creation (pip installing packages), file drops in %LOCALAPPDATA% or /tmp, registry modifications for persistence, and DLL side-loading behaviors. Network Visibility: Medium — Network traffic is directed to a legitimate service (Zulip), which may blend in with normal traffic, but the specific subdomain (helper.zulipchat.com) and API patterns can be monitored. Detection Difficulty: Moderate — While the initial vector uses legitimate developer tools (pip) and C2 uses a legitimate service (Zulip), the persistence mechanisms (Run keys, crontab) and DLL side-loading are standard and detectable.

Required Log Sources

• Process Creation (Event ID 4688 / Sysmon 1)
• File Creation (Sysmon 11)
• Registry Modifications (Sysmon 12/13)
• Network Connections (Sysmon 3)

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for Python processes dropping executable files (.dll, .so, .exe) into user appdata or /tmp directories.	File Creation events linked to python.exe or pip.	Execution	Low to Medium
Monitor for unexpected modifications to the HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry key pointing to executables in %LOCALAPPDATA%.	Registry modification events.	Persistence	Medium
Identify network connections to zulipchat.com originating from unusual processes like vcpktsvr.exe or python.exe.	Network connection logs correlated with process execution.	Command and Control	Low

Control Gaps

• Lack of strict vetting for third-party Python packages
• Allowing outbound connections to unapproved chat/collaboration platforms

Key Behavioral Indicators

• Python scripts importing and executing ctypes.CDLL on newly dropped DLLs
• Creation of 'vcpacket' directory in LocalAppData
• Crontab entries pointing to '/tmp/obsHub/'

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Block network traffic to helper.zulipchat.com.
• Search endpoints for the presence of the 'vcpacket' directory in LocalAppData or '/tmp/obsHub/' on Linux.
• Audit Python environments for the installation of 'uuid32-utils', 'colorinal', or 'termncolor' packages.

Infrastructure Hardening

• Implement network filtering to block unauthorized third-party chat and collaboration APIs.
• Restrict execution of binaries from /tmp on Linux systems (e.g., mount /tmp with noexec).

User Protection

• Deploy EDR to monitor for suspicious child processes spawned by Python or pip.
• Enforce application control to prevent execution of unapproved binaries in user directories.

Security Awareness

• Train developers on the risks of typosquatting and supply chain attacks in public package repositories like PyPI.
• Establish a policy for vetting and approving third-party libraries before use in development environments.

MITRE ATT&CK Mapping

• T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain
• T1059.006 - Command and Scripting Interpreter: Python
• T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
• T1053.003 - Scheduled Task/Job: Cron
• T1102.002 - Web Service: Bidirectional Communication
• T1027 - Obfuscated Files or Information
• T1574.002 - Hijack Execution Flow: DLL Side-Loading

Additional IOCs

• File Hashes:
  • 5152410aeef667ffaf42d40746af4d84 (MD5) - termncolor-3.1.0-py3-none-any.whl
  • 0a5a06fa2e74a57fd5ed8e85f04a483a (MD5) - uuid32_utils-1.x.x-py3-none-xxxx.whl
  • e4a0ad38fd18a0e11199d1c52751908b (MD5) - uuid32_utils-1.x.x-py3-none-xxxx.whl
  • 5598baa59c716590d8841c6312d8349e (MD5) - uuid32_utils-1.x.x-py3-none-xxxx.whl
  • 968782b4feb4236858e3253f77ecf4b0 (MD5) - uuid32_utils-1.x.x-py3-none-xxxx.whl
  • b55b6e364be44f27e3fecdce5ad69eca (MD5) - uuid32_utils-1.x.x-py3-none-xxxx.whl
  • 02f4701559fc40067e69bb426776a54f (MD5) - uuid32_utils-1.x.x-py3-none-xxxx.whl
  • e200f2f6a2120286f9056743bc94a49d (MD5) - uuid32_utils-1.x.x-py3-none-xxxx.whl
  • 22538214a3c917ff3b13a9e2035ca521 (MD5) - uuid32_utils-1.x.x-py3-none-xxxx.whl
  • ba2f1868f2af9e191ebf47a5fab5cbab (MD5) - colorinal-0.1.7-py3-none-xxxx.whl
  • c33782c94c29dd268a42cbe03542bca5 (MD5) - Backward.dll
  • 454b85dc32dc8023cd2be04e4501f16a (MD5) - Backward.dll
  • fce65c540d8186d9506e2f84c38a57c4 (MD5) - Backward.so
  • 652f4da6c467838957de19eed40d39da (MD5) - Backward.so
  • 1995682d600e329b7833003a01609252 (MD5) - terminate.dll
  • 38b75af6cbdb60127decd59140d10640 (MD5) - terminate.so
  • 48be833b0b0ca1ad3cf99c66dc89c3f4 (MD5) - vcpktsvr.exe
• Registry Keys:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\pkt-update - Persistence mechanism for ZiChatBot on Windows.
• File Paths:
  • %LOCALAPPDATA%\vcpacket\vcpktsvr.exe - Path where the legitimate executable is dropped on Windows.
  • %LOCALAPPDATA%\vcpacket\libcef.dll - Path where the malicious ZiChatBot payload is dropped on Windows.
  • /tmp/obsHub/obs-check-update - Path where the ZiChatBot payload is dropped on Linux.
• Command Lines:
  • Purpose: Install malicious PyPI packages | Tools: pip | Stage: Initial Access | pip install uuid32-utils
  • Purpose: Establish persistence on Linux via crontab | Tools: crontab, echo | Stage: Persistence | echo "5 * * * * /tmp/obsHub/obs-check-update" | crontab -
  • Purpose: Make Linux payload executable | Tools: chmod | Stage: Execution | chmod +x /tmp/obsHub/obs-check-update
• Other:
  • Morian-bot@helper.zulipchat.com:U8REXlI6Kf8qXB9rQzOPBiIA4brJ58qG - Decoded Zulip API Auth token used by ZiChatBot.