Beware of Typos that May lead malicious PyPI Package Installation

Cybersecurity experts have raised alarms over a new threat vector targeting Python developers: typo-squatting on the Python Package Index (PyPI).

The notorious Lazarus group, known for its cyber espionage and sabotage activities, has been implicated in the release of malicious packages designed to exploit typographical errors made by developers when installing packages.

You can analyze a malware file, network, module, and registry activity with the ANY.RUN malware sandbox, and the Threat Intelligence Lookup that will let you interact with the OS directly from the browser.

Typosquatting: A Gateway for Malware

The JPCERT/CC has confirmed the release of several malicious packages on PyPI, including pycryptoenvpycryptoconfquasarlib, and swapmempool.

These packages were crafted to resemble the legitimate pycrypto package, a widely used encryption library in Python.

Python packages released by Lazarus attack group
Python packages released by Lazarus attack group

The subtle misspellings are intended to dupe unsuspecting developers into downloading and installing malware on their systems.

Inside the Malicious Packages

Upon closer examination, the structure of these packages reveals a concerning setup. For instance, pycryptoenv it contains a file named test.py, which is not a Python script but an XOR-encoded DLL file.

The file within the package handles the decoding and execution of this file.

Flow up to Comebacker execution
Flow up to Comebacker execution

This malware, called Comebacker, is not new to the cybersecurity community. Lazarus previously used it in a campaign targeting security researchers, as reported by Google in January 2021.

The malware is executed through a series of steps, starting with the decoding of test.py, saving it as output.py, and then running it as a DLL file.

The Comebacker Malware

The Comebacker malware uses HTTP POST requests to communicate with its command and control (C2) servers.

Comparison of characteristic NOP commands between Comebacker and BLINDINGCAN
Comparison of characteristic NOP commands between Comebacker and BLINDINGCAN

The data sent and received is encoded, and upon successful communication, the server sends back a Windows executable file.

This file is then executed in memory, avoiding detection by traditional antivirus software.

Lazarus has employed comparable techniques in disseminating malware through different package repositories, including npm, suggesting a more extensive approach to infiltrating software supply chains. This particular occurrence is not an isolated event.

npm package released by Lazarus attack group
npm package released by Lazarus attack group

A previous report by BleepingComputer highlighted the deployment of fake VMware PyPI packages by Lazarus hackers, further underscoring the group’s focus on infiltrating developer ecosystems.

Protecting Against Typosquatting Attacks

The malicious packages in question have been downloaded hundreds of times, suggesting that many developers have fallen victim to this scheme. 

Number of pycryptoenv downloads
Number of pycryptoenv downloads

Developers must be vigilant when installing packages, double-check the spelling, and verify the source’s authenticity.

Additionally, organizations should consider implementing automated tools to detect and block the installation of potentially malicious packages.

The discovery of these malicious PyPI packages is a stark reminder of the evolving threat landscape and the need for heightened awareness among developers.

As the Lazarus group continues to refine its strategies, the cybersecurity community must remain proactive in identifying and mitigating such threats.

For more detailed information on the malware and its behavior and the indicators of compromise, readers are directed to the appendices provided by JPCERT/CC.

This article is based on the findings and reports from JPCERT/CC and other cybersecurity sources.

The information provided aims to educate and inform the public about typo-squatting risks and the importance of cautious package installation practices.

You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are extremely harmful, can wreak havoc, and damage your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Leave a Reply

Your email address will not be published. Required fields are marked *