Since I’m interested in malicious Python scripts, I found multiple samples that rely on existing libraries. The most-known repository is probably pypi.org[1] that reports, as of today, 567,478 projects! Malware developers are like regular developers: They don’t want to reinvent the wheel and make their shopping across existing libraries to expand their scripts capabilities.
I compiled a list of libraries that are often used by malicious scripts. Warning! These libraries are NOT malicious, they are also used for totally legit purposes. Like many Windows API calls, they are just (ab)used by developers. Here is my top list:
Module | Description |
---|---|
pyWinhook | Python wrapper for out-of-context input hooks in Windows. The pyWinhook package provides callbacks for global mouse and keyboard events in Windows. Python applications register event handlers for user input events such as left mouse down, left mouse up, key down, etc. and set the keyboard and/or mouse hook. |
pyperclip | Pyperclip is a cross-platform Python module for copy and paste clipboard functions. |
psutil | psutil (process and system utilities) is a cross-platform library for retrieving information on running processes and system utilization (CPU, memory, disks, network, sensors) in Python. It is useful mainly for system monitoring, profiling and limiting process resources and management of running processes. |
win32gui | Python extensions for Microsoft Windows’ Provides access to much of the Win32 API, the ability to create and use COM objects, and the Pythonwin environment |
win32process | An interface to the win32 Process and Thread API's |
pythoncom |
This module supports the Microsoft Component Object Model (COM). COM is a technology that allows you to use “objects” from your favorite language, even if the object isn’t implemented in your language. Many applications for Windows (including Microsoft Office) can be controlled using COM, making it particularly suitable for scripting-related tasks. |
tkinter | This module provides the standard Python interface to the Tcl/Tk GUI toolkit. It is used to design and display GUI elements in some malicious scripts to simulate a player or a small game. |
ctypes | This module is a "foreign function library". It provides C compatible data types, and allows calling functions in DLLs or shared libraries. It can be used to interact with any Windows API calls. Often used for code injection. |
winreg | This module integrates with the Windows registry and can read/write keys. |
ftplib | Easy implementation of the FTP protocol to exfiltrate data or download next stages. |
discord | This module helps to integrate with a Discord servers. Often used as a C2 protocol. |
pyautogui | scripts control the mouse and keyboard to automate interactions with other applications. |
PIL |
The Python Imaging Library adds image processing capabilities to your Python interpreter. |
getpass | Portable password input but provides getpass.getuser() to retrieve information about the current user. |
faker | Faker is a Python package that generates fake data for you. Whether you need to bootstrap your database, create good-looking XML documents, fill-in your persistence to stress test it, or anonymize data taken from a production service, Faker is for you. |
cloudscraper | A simple Python module to bypass Cloudflare's anti-bot page (also known as "I'm Under Attack Mode", or IUAM), implemented with Requests. Cloudflare changes their techniques periodically, so I will update this repo frequently. |
fernet | Fernet guarantees that a message encrypted using it cannot be manipulated or read without the key. Fernet is an implementation of symmetric (also known as “secret key”) authenticated cryptography. |
qrcode | This modules manages (generates) QR codes. |
secrets | The secrets module is used for generating random numbers for managing important data such as passwords, account authentication, security tokens, and related secrets, that are cryptographically strong. |
smtplib | Easy implementation of the SMTP protocol to exfiltrate data. |
pytesseract | Python-tesseract is an optical character recognition (OCR) tool for python. That is, it will recognize and “read” the text embedded in images. |
telebot | Helps to create a Telegram bot |
telethon | Talks to Telegram |
pyinput |
This library allows you to control and monitor input devices. Currently, mouse and keyboard input and monitoring are supported. |
win32api | Helps to call Win32 API |
wmi | Provides an interface to the Windows Management Instrumentation framework |
win32crypt | Provides an interface to the win32 Cryptography API |
wave | Provides an interface to the Waveform Audio “WAVE” (or “WAV”) file format. |
sounddevice | Provides bindings for the PortAudio library and a few convenience functions to play and record NumPy arrays containing audio signals. Combined with the wave module (see above) it helps to use the microphone and exfiltrate conversations. |
pythonnet | Embeds .Net into Python. |
dropbox | Used to exfiltrate data via Dropbox. |
win32pdh | Used to encapsulate the Windows Performance Data Helpers API[2] and perform a footprint of the targeted computer (ex: user's activity) |
py7zr | Used to manipulate 7Z archives and exfiltrate collected data. |
pyzipper | Used to manipulate ZIP archives and exfiltrate collected data. |
browser_cookie3 | This module loads cookies used by your web browser into a cookie jar object. Often used by infostealers. |
browser_history | Simple python package used o retrieve (almost) any browser's history on (almost) any platform. Like the previous module, used by infostealers. |
marshal | This modules ontains functions that can read and write Python values in a binary format. Used for obfuscation purposes. |
py_compile | This module generates a byte-code file from a source file. This is used as obfuscation technique. Once compiled, the initial script is deleted. |
firebase_admin | Used to integrate Firebase into scripts. This is often used for easy exfiltration of data. |
If not available on the victim's computer, these modules can be easily installed using a few lines of code:
import time from sys import executable required_modules = [ "module1", "module2", "moduleN" ] for m in required_modules: try: import m except: subprocess.Popen(f"\"{executable}\" -m pip install {m} --quiet", shell=True) time.sleep(3)
If you discover more Python libraries sometimes used for malicious reasons, please share! I'd like to keep this list up-to-date!
[1] https://pypi.org/
[2] https://learn.microsoft.com/en-us/windows/win32/perfctrs/using-the-pdh-functions-to-consume-counter-data
Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key