Tuesday, November 12, 2024
HomeCyber Security NewsBeware of Typos that May lead to Malicious PyPI Package Installation

Beware of Typos that May lead to Malicious PyPI Package Installation

Published on

Malware protection

Cybersecurity experts have raised alarms over a new threat vector targeting Python developers: typo-squatting on the Python Package Index (PyPI).

The notorious Lazarus group, known for its cyber espionage and sabotage activities, has been implicated in the release of malicious packages designed to exploit typographical errors made by developers when installing packages.

You can analyze a malware file, network, module, and registry activity with the ANY.RUN malware sandbox, and the Threat Intelligence Lookup that will let you interact with the OS directly from the browser.

- Advertisement - SIEM as a Service

Typosquatting: A Gateway for Malware

The JPCERT/CC has confirmed the release of several malicious packages on PyPI, including pycryptoenvpycryptoconfquasarlib, and swapmempool.

These packages were crafted to resemble the legitimate pycrypto package, a widely used encryption library in Python.

Python packages released by Lazarus attack group
Python packages released by Lazarus attack group

The subtle misspellings are intended to dupe unsuspecting developers into downloading and installing malware on their systems.

Inside the Malicious Packages

Upon closer examination, the structure of these packages reveals a concerning setup. For instance, pycryptoenv it contains a file named test.py, which is not a Python script but an XOR-encoded DLL file.

The file within the package handles the decoding and execution of this file.

Flow up to Comebacker execution
Flow up to Comebacker execution

This malware, called Comebacker, is not new to the cybersecurity community. Lazarus previously used it in a campaign targeting security researchers, as reported by Google in January 2021.

The malware is executed through a series of steps, starting with the decoding of test.py, saving it as output.py, and then running it as a DLL file.

The Comebacker Malware

The Comebacker malware uses HTTP POST requests to communicate with its command and control (C2) servers.

Comparison of characteristic NOP commands between Comebacker and BLINDINGCAN
Comparison of characteristic NOP commands between Comebacker and BLINDINGCAN

The data sent and received is encoded, and upon successful communication, the server sends back a Windows executable file.

This file is then executed in memory, avoiding detection by traditional antivirus software.

Lazarus has employed comparable techniques in disseminating malware through different package repositories, including npm, suggesting a more extensive approach to infiltrating software supply chains. This particular occurrence is not an isolated event.

npm package released by Lazarus attack group
npm package released by Lazarus attack group

Protecting Against Typosquatting Attacks

The malicious packages in question have been downloaded hundreds of times, suggesting that many developers have fallen victim to this scheme. 

Number of pycryptoenv downloads
Number of pycryptoenv downloads

Developers must be vigilant when installing packages, double-check the spelling, and verify the source’s authenticity.

Additionally, organizations should consider implementing automated tools to detect and block the installation of potentially malicious packages.

The discovery of these malicious PyPI packages is a stark reminder of the evolving threat landscape and the need for heightened awareness among developers.

As the Lazarus group continues to refine its strategies, the cybersecurity community must remain proactive in identifying and mitigating such threats.

For more detailed information on the malware and its behavior and the indicators of compromise, readers are directed to the appendices provided by JPCERT/CC.

This article is based on the findings and reports from JPCERT/CC and other cybersecurity sources.

The information provided aims to educate and inform the public about typo-squatting risks and the importance of cautious package installation practices.

You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are extremely harmful, can wreak havoc, and damage your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Amazon Confirms Employee Data Breach Via Third-party Vendor

Amazon has confirmed that sensitive employee data was exposed due to a breach at...

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and...

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS...

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Amazon Confirms Employee Data Breach Via Third-party Vendor

Amazon has confirmed that sensitive employee data was exposed due to a breach at...

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...