Hackers have been caught combining two known methods to try to deliver malware to Python developers: DLL sideloading and typosquatting.
Cybersecurity researchers at ReversingLabs recently detected two Python packages in the PyPI repository, called NP6HelperHttptest and NP6HelperHttper that, if installed, could give attackers the ability to execute malicious code on vulnerable endpoints.
Hacker News says that these two are actually typo versions of NP6HelperHttp and NP6HelperConfig, auxiliary tools for a marketing automation solution published by ChapsVision employees.
Implementation of cobalt attack beacons
Obviously, whoever created these malicious packages was betting that Python developers would search for these tools and accidentally choose the wrong ones. Those who make that mistake will receive a setup.py script, which downloads two files: a malicious sideloading DLL, dgdeskband64.dll, and a vulnerable sideloading executable, ComServer.exe.
In the process, the executable calls the DLL, which reaches a domain under the attackers' control and grabs a GIF. That file is actually shell code for a Cobalt Strike beacon. Researchers believe these two packages are part of a larger malicious campaign.
“Development organizations should be aware of threats related to supply chain security and open source package repositories,” said security researcher Karlo Zanki. “Even if they don't use open source package repositories, that doesn't mean threat actors won't abuse them to impersonate companies and their software products and tools.”
In total, the two packages were downloaded about 700 times before being detected and removed from the repository.
Supply chain attacks through PyPI are nothing new. Just a week ago, Phylum researchers warned of more than 400 malicious packages spreading through PyPI, leaking people's data, compromising applications, and stealing cryptocurrency. Most attackers implement the typosquatting technique, attempting to trick people into downloading a malicious package.
Quordle Today: Hints and Answers for Monday, January 1 (Game #707)
Samsung Galaxy S24 Ultra could come with a big video recording update
New Nothing Phone 2a leaks include images, prices, colors and specifications
New year, new TV: LG’s C2 OLED drops to a whopping $1,399 price at Amazon
Amazon’s massive New Year’s sale is on: here are the 29 best deals to shop right now