ESET Research has uncovered a significant cybersecurity threat involving a cluster of malicious Python projects distributed through PyPI, the official Python package repository. This threat, identified in late 2023, has been particularly concerning due to its scale and the techniques used.
Key Findings from ESET Research:
Malicious Package Discovery: ESET Research discovered 116 malicious packages uploaded in 53 projects on PyPI. These packages have been downloaded over 10,000 times, with a download rate of approximately 80 per day since May 2023.
Target Systems: The threat targets both Windows and Linux systems. The final payload usually involves a custom backdoor, but in some cases, it includes variants of the W4SP Stealer or a simple clipboard monitor designed to steal cryptocurrency.
Malware Techniques: The operators behind this campaign employed three primary techniques to insert malicious code into Python packages:
Malicious test.py Module: A 'test' module with lightly obfuscated code was embedded in the package, designed to handle both Windows and Linux systems.
PowerShell in setup.py: PowerShell code was embedded in the setup.py file of packages, which is typically run automatically by package managers like pip. This script was responsible for downloading and executing further stages of the malware.
Direct Malware Inclusion: In some cases, packages only contained malicious code, with no effort to include legitimate code. This code was often lightly obfuscated and written into temporary files for execution.
Persistence Mechanisms:
On Windows, persistence was achieved using a VBScript Encoded (VBE) file, written to a specific directory and scheduled to run every five minutes.
On Linux, a malicious desktop entry was placed in the autostart directory to ensure persistence. This entry mimicked legitimate software to reduce suspicion.
Final Payload Characteristics: The backdoor component of the malware, implemented in Python for Windows and Go for Linux, enabled remote command execution, file exfiltration, and sometimes the ability to take screenshots. The backdoor created a TCP socket connection to a command and control server and could handle various commands or run other commands in a separate process.
Alternate Payloads: In some cases, the malware payload was a variant of the W4SP Stealer or a clipboard monitor targeting cryptocurrencies like Bitcoin, Ethereum, Monero, and Litecoin. The clipboard monitor used the pyperclip package to identify wallet addresses and replace them with attacker-controlled addresses.
Countermeasures: Most of these malicious packages were taken down by PyPI at the time of the research. ESET communicated with PyPI to ensure the removal of the remaining malicious packages, and all known malicious packages are now offline.
This situation highlights the ongoing challenges in maintaining the security of software repositories like PyPI, especially given their open nature and the sophistication of modern cyber attackers. It underscores the need for constant vigilance and robust security measures both by repository maintainers and users downloading packages from such repositories.
IoC
HOSTNAME
- blazywound.ignorelist.com
IPv4
- 204.152.203.78
SHA256
- 104a5192cf032cee44b732d33458a27909cef45d7391e092b9c13acd5779bb39
SHA1
- ef59c159d3fd668c3963e5ade3c726b8771e6f54
- b94e493579cc1b7864c70fafb43e15d2ed14a16b
- b0c8d6beee80813c8181f3038e42adacc3848e68
- ae3072a72f8c54596dcbcde9cfe74a4146a4ef52
- 70c271f79837b8cc42bd456a22ec51d1261ed0ca
- 439a5f553e4ee15edca1cfb77b96b02c77c5c388
- 07204ba8d39b20f5fcdb9c0242b112fadffa1bb4
REFERENCES
- https://www.welivesecurity.com/en/eset-research/pernicious-potpourri-python-packages-pypi/
- https://otx.alienvault.com/pulse/657b710c1b313b8547fa4145
TAGS
pypi, linux, w4sp stealer, persistence, oilrig, kryptocibule, w4sp
No comments:
Post a Comment