Hackers have been caught combining two known methods to try to deliver malware to Python developers: DLL sideloading and typosquatting.
Cybersecurity researchers at ReversingLabs recently detected two Python packages in the PyPI repository, called NP6HelperHttptest and NP6HelperHttper that, if installed, could give attackers the ability to execute malicious code on vulnerable endpoints.
Hacker News says that these two are actually typo versions of NP6HelperHttp and NP6HelperConfig, auxiliary tools for a marketing automation solution published by ChapsVision employees.
Implementation of cobalt attack beacons
Obviously, whoever created these malicious packages was betting that Python developers would search for these tools and accidentally choose the wrong ones. Those who make that mistake will receive a setup.py script, which downloads two files: a malicious sideloading DLL, dgdeskband64.dll, and a vulnerable sideloading executable, ComServer.exe.
In the process, the executable calls the DLL, which reaches a domain under the attackers' control and grabs a GIF. That file is actually shell code for a Cobalt Strike beacon. Researchers believe these two packages are part of a larger malicious campaign.
“Development organizations should be aware of threats related to supply chain security and open source package repositories,” said security researcher Karlo Zanki. “Even if they don't use open source package repositories, that doesn't mean threat actors won't abuse them to impersonate companies and their software products and tools.”
In total, the two packages were downloaded about 700 times before being detected and removed from the repository.
Supply chain attacks through PyPI are nothing new. Just a week ago, Phylum researchers warned of more than 400 malicious packages spreading through PyPI, leaking people's data, compromising applications, and stealing cryptocurrency. Most attackers implement the typosquatting technique, attempting to trick people into downloading a malicious package.