The notorious North Korean state-backed hacking team Lazarus uploaded four packages to the Python Package deal Index (PyPI) repository with the objective of infecting developer programs with malware.
The deals, now taken down, are pycryptoenv, pycryptoconf, quasarlib, and swapmempool. They have been collectively downloaded 3,269 instances, with pycryptoconf accounting for the most downloads at 1,351.
“The deal names pycryptoenv and pycryptoconf are similar to pycrypto, which is a Python package deal utilised for encryption algorithms in Python,” JPCERT/CC researcher Shusei Tomonaga mentioned. “For that reason, the attacker possibly organized the malware-containing destructive offers to target users’ typos in putting in Python offers.”
The disclosure will come days immediately after Phylum uncovered many rogue offers on the npm registry that have been applied to solitary out computer software developers as portion of a marketing campaign codenamed Contagious Interview.
An appealing commonality between the two sets of attacks is that the malicious code is hid in just the test script (“check.py”). In this scenario, even so, the check file is simply a smokescreen for what is actually an XOR-encoded DLL file, which, in switch, makes two DLL files named IconCache.db and NTUSER.DAT.
The attack sequence then uses NTUSER.DAT to load and execute IconCache.db, a malware known as Comebacker which is dependable for establishing connections with a command-and-command (C2) server to fetch and operate a Windows executable file.
JPCERT/CC said the packages are a continuation of a campaign that Phylum initially specific in November 2023 as leveraging crypto-themed npm modules to supply Comebacker.
“Attackers may be concentrating on users’ typos to have the malware downloaded,” Tomonaga claimed. “When you put in modules and other sorts of computer software in your improvement environment, please do so meticulously to keep away from putting in unwelcome deals.”
Discovered this posting intriguing? Adhere to us on Twitter and LinkedIn to read through a lot more exceptional written content we article.
Some parts of this article are sourced from:
thehackernews.com