Unveiling the Dangers of the "AnyDesk-Malcom" Malicious Python Package

At Socket, our commitment to security covers multiple package ecosystems—ranging from npm, Go, and PyPI—allowing developers to maintain an environment free from risks. Recent scans done by our Socket AI product and our security researchers have unveiled an interesting finding beyond our normal findings everyday.

Unveiling the Dangers of the "AnyDesk-Malcom"

After being alerted by Socket AI our security researchers took a closer look at a PyPI package anydesk-malcom and verified malicious behavior being performed by the package. This library was last released on the 14th of May 2022 just one day after the user Ritetransfer who performed the publication of the package created their account on the 13th of May 2022. This user has only published this package without any other apparent publications to PyPI.

The project has been downloaded a total of 26,835 times. Over the last 7 days, the project has been downloaded 310 times. In the last 30 days, the project has received 1,662 downloads. These numbers indicated that this package had a much higher potential impact than other packages being flagged for malware and vulnerabilities than normal in our threat feed.

Upon taking a glimpse into the script code, we observed that the script begins by importing essential modules and classes. At first glance it appears to be a normal package using setuptools and going through the normal setuptools.command.install workflow.

However, unlike normal packages this one has installation was instead malware. The script introduces a custom installation process through the class "SneakyInstall," which extends the "install" class. This clever approach led to suspicions at something being tampered with in the installation pipeline.

What's behind this enigmatic download?

The script gets bold as it silently reaches out to a URL "https://peso-dolar.com/fiverr_nopassword/AnyDesk.zip" and authenticates with a password.

The script then extracts the contents of the AnyDesk.zip file to disk. Once the contents are on disk, the script initiates launched "AnyDesk.exe", but what purpose does this serve? Unfortunately, the Zip is no longer available to download.

Our team then performed threat intelligence to understand what’s a potential impact or potential impact if the file becomes available again.

We noted that the URL from where the zip file is downloaded has already been marked malicious & associated with phishing frauds.

Digging inside deeper at the public IP address we observed that the IP address is associated with the domain has been related to a multitude of malicious files.

Also taking a historical view of the IP address it was observed that more than 10 malicious domains were associated with this IP address that were being flagged malicious by multiple vendors.

• shubeautybar.com.au
• www.shadowsoft-games.com
• www.cuisinealaresidence.com
• dxvmax.in
• www.idahouse4u.com
• magictools.in
• cocacolaluckydraw.com
• www.cocacolaluckydraw.com
• stem4climate.com
• 2o7kph.com
• ashleymeharg.com
• relentlessgladiator.com
• zouqjewels.com
• jetwayavia.com
• milanvice.com
• adultcontentcreatorclass.com
• kibrisx.com
• tropicalislandfarms.com
• thetalkofthetownmag.com
• billiondollarbeliefsystem.com

We have already reported the malicious package to the registry and are continuing to protect against this and similar threats as we find them.