The infamous North Korean state-backed hacking group Lazarus uploaded 4 packages to the Python Bundle Index (PyPI) repository with the purpose of infecting developer programs with malware.
The packages, now taken down, are pycryptoenv, pycryptoconf, quasarliband swapmempool. They’ve been collectively downloaded 3,269 instances, with pycryptoconf accounting for essentially the most downloads at 1,351.
“The package names pycryptoenv and pycryptoconf are similar to pycrypto, which is a Python package used for encryption algorithms in Python,” JPCERT/CC researcher Shusei Tomonaga said. “Therefore, the attacker probably prepared the malware-containing malicious packages to target users’ typos in installing Python packages.”
The disclosure comes days after Phylum uncovered a number of rogue packages on the npm registry which have been used to single out software program builders as a part of a marketing campaign codenamed Contagious Interview.
An fascinating commonality between the 2 units of assaults is that the malicious code is hid throughout the check script (“test.py”). On this case, nonetheless, the check file is merely a smokescreen for what’s an XOR-encoded DLL file, which, in flip, creates two DLL recordsdata named IconCache.db and NTUSER.DAT.
The assault sequence then makes use of NTUSER.DAT to load and execute IconCache.db, a malware referred to as Comebacker that is answerable for establishing connections with a command-and-control (C2) server to fetch and run a Home windows executable file.
JPCERT/CC stated the packages are a continuation of a marketing campaign that Phylum first detailed in November 2023 as leveraging crypto-themed npm modules to ship Comebacker.
“Attackers may be targeting users’ typos to have the malware downloaded,” Tomonaga stated. “When you install modules and other kinds of software in your development environment, please do so carefully to avoid installing unwanted packages.”
Author: data@thehackernews.com (The Hacker Information)
Date: 2024-02-29 03:17:00
