Cybersecurity analysts at ReversingLabs have observed a novel tactic employed by hackers targeting Python developers. By combining DLL side-loading with typosquatting, they attempt to distribute malware.
ReversingLabs recently detected two suspicious Python packages, NP6HelperHttptest and NP6HelperHttper, within the PyPI repository. These packages, if installed, could enable attackers to execute malicious code on vulnerable systems.
According to reports from The Hacker News, NP6HelperHttptest and NP6HelperHttper are deceptive variations of legitimate packages NP6HelperHttp and NP6HelperConfig. These authentic tools are part of a marketing automation solution developed by ChapsVision employees.
The deployment of Cobalt Strike beacons
It appears that the creators of these malicious packages targeted Python developers, banking on them searching for specific tools and mistakenly selecting the wrong ones. Those who fall into this trap will execute a setup.py script, which initiates the download of two files: a malicious DLL named dgdeskband64.dll for side-loading, and an executable susceptible to side-loading, ComServer.exe.
During this process, the executable calls upon the DLL, which connects to a domain controlled by the attackers and retrieves a GIF file. Surprisingly, this file contains a shellcode for a Cobalt Strike beacon. Researchers suspect that these two packages are components of a larger malicious scheme.
Security researcher Karlo Zanki emphasized the importance for development organizations to acknowledge the risks associated with supply chain security and open-source package repositories. Zanki stated, “Even if they are not using open-source package repositories, that doesn’t mean that threat actors won’t abuse them to impersonate companies and their software products and tools.”
Before their removal from the repository, the two packages were downloaded approximately 700 times in total.
Supply chain attacks via PyPI are not uncommon. Just a week prior, researchers from Phylum cautioned about over 400 malicious packages circulating through PyPI, which aimed at data exfiltration, application compromise, and cryptocurrency theft. The majority of these attackers utilize typosquatting techniques to deceive users into downloading malicious packages.
