Hackers have been spotted combining two well-known methods to deliver malware to Python developers: DLL side-loading and typosquatting.
Cybersecurity researchers at ReversingLabs recently discovered two Python packages in the PyPI repository, called NP6HelperHttptest and NP6HelperHttper, which, if installed, could give the attackers the ability to execute malicious code on the vulnerable endpoints.
The hacker news says that these two are actually typed versions of NP6HelperHttp and NP6HelperConfig, tools for a marketing automation solution published by ChapsVision employees.
Deploy Cobalt Strike beacons
Clearly, whoever built these malicious packages was betting that Python developers searched for these tools and accidentally chose the wrong ones. Those who make this mistake will receive a setup.py script, which downloads two files: a malicious side-loading DLL – dgdeskband64.dll, and an executable vulnerable to side-loading – ComServer.exe.
During the process, the executable calls the DLL, which contacts a domain under the attackers’ control, and grabs a GIF. That file is actually shellcode for a Cobalt Strike beacon. The researchers believe that these two packages are part of a larger malicious campaign.
“Development organizations need to be aware of the threats associated with supply chain security and open-source package repositories,” says security researcher Karlo Zanki. “Even if they don’t use open source package repositories, that doesn’t mean threat actors won’t abuse them to impersonate companies and their software products and tools.”
In total, the two packages were downloaded approximately 700 times before being noticed and removed from the repository.
Supply chain attacks via PyPI are nothing new. Just a week ago, Phylum researchers warned of more than 400 malicious packages being distributed via PyPI, exfiltrating people’s data, compromising applications, and stealing cryptocurrencies. Most attackers use the typosquatting technique in an attempt to trick people into downloading a malicious package.