Beware of Typos that May lead to Malicious PyPI Package Installation

Cybersecurity experts have raised alarms over a new threat vector targeting Python developers: typo-squatting on the Python Package Index (PyPI).

The notorious Lazarus group, known for its cyber espionage and sabotage activities, has been implicated in the release of malicious packages designed to exploit typographical errors made by developers when installing packages.

You can analyze a malware file, network, module, and registry activity with the ANY.RUN malware sandbox, and the Threat Intelligence Lookup that will let you interact with the OS directly from the browser.

Typosquatting: A Gateway for Malware

The JPCERT/CC has confirmed the release of several malicious packages on PyPI, including pycryptoenvpycryptoconfquasarlib, and swapmempool.

These packages were crafted to resemble the legitimate pycrypto package, a widely used encryption library in Python.

Python packages released by Lazarus attack group

The subtle misspellings are intended to dupe unsuspecting developers into downloading and installing malware on their systems.

Inside the Malicious Packages

Upon closer examination, the structure of these packages reveals a concerning setup. For instance, pycryptoenv it contains a file named test.py, which is not a Python script but an XOR-encoded DLL file.

The file within the package handles the decoding and execution of this file.

Flow up to Comebacker execution

This malware, called Comebacker, is not new to the cybersecurity community. Lazarus previously used it in a campaign targeting security researchers, as reported by Google in January 2021.

The malware is executed through a series of steps, starting with the decoding of test.py, saving it as output.py, and then running it as a DLL file.

The Comebacker Malware

The Comebacker malware uses HTTP POST requests to communicate with its command and control (C2) servers.

Comparison of characteristic NOP commands between Comebacker and BLINDINGCAN

The data sent and received is encoded, and upon successful communication, the server sends back a Windows executable file.

This file is then executed in memory, avoiding detection by traditional antivirus software.

Lazarus has employed comparable techniques in disseminating malware through different package repositories, including npm, suggesting a more extensive approach to infiltrating software supply chains. This particular occurrence is not an isolated event.

npm package released by Lazarus attack group

Protecting Against Typosquatting Attacks

The malicious packages in question have been downloaded hundreds of times, suggesting that many developers have fallen victim to this scheme. 

Number of pycryptoenv downloads

Developers must be vigilant when installing packages, double-check the spelling, and verify the source’s authenticity.

Additionally, organizations should consider implementing automated tools to detect and block the installation of potentially malicious packages.

The discovery of these malicious PyPI packages is a stark reminder of the evolving threat landscape and the need for heightened awareness among developers.

As the Lazarus group continues to refine its strategies, the cybersecurity community must remain proactive in identifying and mitigating such threats.

For more detailed information on the malware and its behavior and the indicators of compromise, readers are directed to the appendices provided by JPCERT/CC.

This article is based on the findings and reports from JPCERT/CC and other cybersecurity sources.

The information provided aims to educate and inform the public about typo-squatting risks and the importance of cautious package installation practices.

You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are extremely harmful, can wreak havoc, and damage your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

New VIPKeyLogger Via Weaponized Office Documenrs Steals Login Credentials

The VIPKeyLogger infostealer, exhibiting similarities to the Snake Keylogger, is actively circulating through phishing campaigns. …

15 hours ago

INTERPOL Urges to End ‘Pig Butchering’ & Replaces With “Romance Baiting”

INTERPOL has called for the term "romance baiting" to replace "pig butchering," a phrase widely…

15 hours ago

New I2PRAT Malware Using encrypted peer-to-peer communication to Evade Detections

Cybersecurity experts are sounding the alarm over a new strain of malware dubbed "I2PRAT," which…

16 hours ago

Earth Koshchei Employs RDP Relay, Rogue RDP server in Server Attacks

 A new cyber campaign by the advanced persistent threat (APT) group Earth Koshchei has brought…

17 hours ago

Careto – A legendary Threat Group Targets Windows By Deploy Microphone Recorder And Steal Files

Recent research has linked a series of cyberattacks to The Mask group, as one notable…

18 hours ago

RiseLoader Attack Windows By Employed A VMProtect To Drop Multiple Malware Families

RiseLoader, a new malware family discovered in October 2024, leverages a custom TCP-based binary protocol…

18 hours ago