Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    [mc4wp_form id=3515]
    What's Hot

    Name That Toon: Last Line of Defense

    April 16, 2024

    OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

    April 16, 2024

    Middle East Cyber Ops Intensify, With Israel the Main Target

    April 16, 2024
    Facebook Twitter Instagram
    • Privacy Policy
    • Contact Us
    Facebook Twitter Instagram Pinterest Vimeo
    AI Home SecurityAI Home Security
    • Home
    • Home Security
    • Cyber Security
    • Biometric Technology
    Contact
    AI Home SecurityAI Home Security
    Home»Cyber Security»Researchers Uncover Obfuscated Malicious Code in PyPI Python Packages
    Cyber Security

    Researchers Uncover Obfuscated Malicious Code in PyPI Python Packages

    justmattgBy justmattgFebruary 10, 2023No Comments3 Mins Read
    Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
    Share
    Facebook Twitter LinkedIn Pinterest Email

    [ad_1]

    Feb 10, 2023Ravie LakshmananSupply Chain / Software Security

    PyPI Python Packages

    Four different rogue packages in the Python Package Index (PyPI) have been found to carry out a number of malicious actions, including dropping malware, deleting the netstat utility, and manipulating the SSH authorized_keys file.

    The packages in question are aptx, bingchilling2, httops, and tkint3rs, all of which were collectively downloaded about 450 times before they were taken down. While aptx is an attempt to impersonate Qualcomm’s highly popular audio codec of the same name, httops and tkint3rs are typosquats of https and tkinter, respectively.

    “Most of these packages had well thought out names, to purposely confuse people,” Security researcher and journalist Ax Sharma said.

    An analysis of the malicious code injected in the setup script reveals the presence of an obfuscated Meterpreter payload that’s disguised as “pip,” a legitimate package installer for Python, and can be leveraged to gain shell access to the infected host.

    Also undertaken are steps to remove the netstat command-line utility that’s used for monitoring network configuration and activity as well as modifying the .ssh/authorized_keys file to set up an SSH backdoor for remote access.

    “Now this is a sleek but real world example of damaging malware that successfully made its way into the open source ecosystem,” Sharma noted.

    Python Package Index

    But in a sign that malware sneaking into the software repositories are a recurring threat, Fortinet FortiGuard Labs uncovered five different packages – web3-essential, 3m-promo-gen-api, ai-solver-gen, hypixel-coins, httpxrequesterv2, and httpxrequester – that are engineered to harvest and exfiltrate sensitive information.

    The disclosures come as ReversingLabs sheds light on a malicious npm module named aabquerys that’s designed to masquerade as the legitimate abquery package to trick developers into downloading it.

    The obfuscated JavaScript code, for its part, comes with capabilities to retrieve a second-stage executable from a remote server, which, in turn, contains an Avast proxy binary (wsc_proxy.exe) that’s known to vulnerable to DLL side-loading attacks.

    Python Package Index

    This enables the threat actor to invoke a malicious library that’s engineered to fetch a third-stage component, Demon.bin, from a command-and-control (C2) server.

    “Demon.bin is a malicious agent with typical RAT (remote access trojan) functionalities that was generated using an open source, post-exploitation, command-and-control framework named Havoc,” ReversingLabs researcher Lucija Valentić said.

    Furthermore, the author of aabquerys is said to have published multiple versions of two other packages named aabquery and nvm_jquery that are suspected to be early iterations of aabquerys.

    Havoc is far from the only C2 exploitation framework detected in the wild, what with criminal actors leveraging custom suites such as Manjusaka, Covenant, Merlin, and Empire in malware campaigns.

    The findings also underscore the growing risk of nefarious packages lurking in open source repositories like npm and PyPi, which can have a severe impact on the software supply chain.

    Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.



    [ad_2]

    Source link

    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    Previous ArticleGetting Developers and Security Teams to Work Together
    Next Article CISA Warns of Active Attacks Exploiting Fortra MFT, TerraMaster NAS, and Intel Driver Flaws
    justmattg
    • Website

    Related Posts

    Cyber Security

    Name That Toon: Last Line of Defense

    April 16, 2024
    Cyber Security

    OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

    April 16, 2024
    Cyber Security

    Middle East Cyber Ops Intensify, With Israel the Main Target

    April 16, 2024
    Add A Comment

    Leave A Reply Cancel Reply

    Demo
    Stay In Touch
    • Facebook
    • Twitter
    • Pinterest
    • Instagram
    • YouTube
    • Vimeo
    Don't Miss
    Cyber Security

    Name That Toon: Last Line of Defense

    justmattgApril 16, 2024

    [ad_1] The enemies are always getting closer, using the same advanced technologies as security pros…

    OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

    April 16, 2024

    Middle East Cyber Ops Intensify, With Israel the Main Target

    April 16, 2024

    Muddled Libra Shifts Focus to SaaS and Cloud for Extortion and Data Theft Attacks

    April 16, 2024

    Subscribe to Updates

    Get the latest creative news from SmartMag about art & design.

    [mc4wp_form id=3515]
    Demo
    Top Posts

    Name That Toon: Last Line of Defense

    April 16, 2024

    OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

    April 16, 2024

    Middle East Cyber Ops Intensify, With Israel the Main Target

    April 16, 2024
    Stay In Touch
    • Facebook
    • Twitter
    • Pinterest
    • Instagram
    • YouTube
    • Vimeo
    Latest Reviews
    Cyber Security

    Name That Toon: Last Line of Defense

    justmattgApril 16, 2024

    [ad_1] The enemies are always getting closer, using the same advanced technologies as security pros…

    Cyber Security

    OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

    justmattgApril 16, 2024

    [ad_1] Apr 16, 2024NewsroomSupply Chain / Software Security Security researchers have uncovered a “credible” takeover…

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    [mc4wp_form id=3515]
    Demo
    MOST POPULAR

    Name That Toon: Last Line of Defense

    April 16, 2024

    California mountain lion P-22 left mark on wildlife conservation

    January 1, 2023

    Congress Again Writes To Home Minister Amit Shah Over Rahul Gandhi’s Security

    January 1, 2023
    OUR PICKS

    Name That Toon: Last Line of Defense

    April 16, 2024

    OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

    April 16, 2024

    Middle East Cyber Ops Intensify, With Israel the Main Target

    April 16, 2024

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    [mc4wp_form id=3515]
    Facebook Twitter Instagram Pinterest
    • Privacy Policy
    • Contact Us
    AI Home Security © 2025 All rights reserved | Designed By ESmartsSolution

    Type above and press Enter to search. Press Esc to cancel.

    ↑