Cybersecurity researchers have identified a series of malicious software packages targeting MacOS users.
These packages, found on the Python Package Index (PyPI) and NPM, have been meticulously analyzed to uncover their malicious intent and sophisticated attack mechanisms.
In late 2022, a CLI-based tool named GuardDog was released. Utilizing Semgrep and package metadata heuristics, GuardDog identifies malicious software packages based on common patterns.
By early 2023, GuardDog was scaled to continuously scan PyPI, leading to the identification and manual triage of nearly 1,500 malicious packages.
According to SecurityLabs reports, this effort has resulted in one of the most enormous labeled datasets of malicious packages available to the public.GuardDog Dashboard
ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service
Initial Lead: The “reallydonothing” Package
The initial lead came from a package named “reallydonothing,” published on May 9, 2024. This package exhibited several suspicious characteristics:
These indicators triggered GuardDog’s rules, prompting further investigation.
The malicious packages, including “reallydonothing,” “jupyter-calendar-extension,” “calendar-extender,” “ReportGenPub,” and “Auto-Scrubber,” share a standard structure.
They consist of a single Python file, setup.py, which overwrites the setup command to execute malicious code upon installation.
Code Example:
class InstallCommand(install):
def run(self):
install.run(self)
# malicious code follows
setup(
name='reallydonothing',
version='0.1',
license='MIT',
packages=find_packages(),
cmdclass={'install': InstallCommand},
)
The malicious code searches for specific file patterns on the local file system and uses hardcoded values to determine the presence of a secret file.
Further malicious actions are executed if the file is found, including downloading and running a second-stage binary.
How the Identified Malicious Packages Differ
The identified packages vary in file patterns, hardcoded values, and the locations where they drop binaries.
Here is a summary of the differences:
Package Name | Version | Files Matched | Hardcoded Magic Words | Path of Dropped Binary | File Created After Successful Infection |
reallydonothing | 0.1 | /Library/Application Support/t*/O/* | railroad, jewel, drown, archive | ~/.local/bin/donothing | /tmp/testing |
reallydonothing | 0.3 | /Library/Application Support/t*/O/* | railroad, jewel, drown, archive | ~/.local/bin/donothing | /tmp/testing |
jupyter-calendar-extension | 0.1 | /Users/Shared/C*/r/2*/* | craft, ribbon, effect, jacket | ~/.local/bin/jupyter_calendar | /tmp/21cb7184-5e4e-4041-b6db-91688a974c56 |
calendar-extender | 0.1 | /Users/Shared/C*/r/2*/* | craft, ribbon, effect, jacket | ~/.local/bin/calendar_extender | /tmp/9bacc561-8485-4731-9c09-7eb4f3fae355 |
calendar-extender | 0.2 | /Users/Shared/C*/r/2*/* | craft, ribbon, effect, jacket | ~/.local/bin/calendar_extender | /tmp/21cb7184-5e4e-4041-b6db-91688a974c56 |
ReportGenPub | 0.1 | /Users/Shared/P*/c/R*/* | bench, example, assume, reservoir | ~/.local/bin/report_gen | None |
ReportGenPub | 0.2 | /Users/Shared/P*/c/R*/* | bench, example, assume, reservoir | ~/.local/bin/report_gen | None |
Auto-Scrubber | 0.1 | /Users/Shared/Videos/t/2*/* | liberty, seed, novel, structure | ~/.local/bin/AutoScrub | None |
Assessment
These malicious packages specifically target MacOS systems, searching for files in standard directories like /Users/Shared and /Library/Application Support.
The attacker’s intentions remain obscure due to the use of one-way hashing functions and secret file paths, making it difficult to determine the payload URL without the secret file path.
The discovery of these malicious packages highlights the importance of continuously monitoring and analyzing software repositories.
Tools like GuardDog play a crucial role in identifying and mitigating such threats.
Users should stay vigilant and regularly update their security measures to protect against these sophisticated attacks.
Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers
A critical security flaw has been uncovered in certain TP-Link routers, potentially allowing malicious actors…
SilkSpecter, a Chinese financially motivated threat actor, launched a sophisticated phishing campaign targeting e-commerce shoppers…
The research revealed how threat actors exploit SEO poisoning to redirect unsuspecting users to malicious…
Black Basta, a prominent ransomware group, has rapidly gained notoriety since its emergence in 2022…
CVE-2024-52301 is a critical vulnerability identified in Laravel, a widely used PHP framework for building…
A critical vulnerability has been discovered in the popular "Really Simple Security" WordPress plugin, formerly…