Unveiling the Sinister Python Packages in PyPI Repository: A North Korean Connection
In the constantly evolving world of cybersecurity, nothing is sacred. Not even the sanctity of Python's official Package Index (PyPI) repository. As per recent discoveries, three new rogue Python packages have surfaced, leaving developers and security experts alarmed. These packages, with names like tablediter, request-plus, and requestspro, form part of a larger software supply chain attack, codenamed VMConnect. Even more alarming is the potential involvement of North Korean state-sponsored hackers in this campaign.
What is PyPI?
Before we delve into the nitty-gritty of the malicious Python packages, it's essential to understand what the Python Package Index (PyPI) is. PyPI serves as the official third-party software repository for Python, allowing developers to find, install, and publish Python packages easily. However, with great power comes great responsibility. The widespread adoption of PyPI makes it a lucrative target for attackers aiming to spread malicious code. Read more about PyPI here.
VMConnect: A Growing Supply Chain Attack
Initially disclosed earlier this month by cybersecurity firms ReversingLabs and Sonatype, VMConnect refers to a set of Python packages that emulate well-known open-source Python utilities. These rogue packages serve as a vessel to download an unidentified second-stage malware onto the affected system.
The Tricky Mechanics of tablediter
The tablediter package particularly stands out for its sneaky operation. Unlike previous incarnations, it doesn't execute malicious code immediately upon installation. Instead, it bides its time. This strategic delay allows it to evade detection by most behavior-based security software. Security researcher Karlo Zanki elucidates that by deferring the execution of the malicious code until the package is imported and its functions called, attackers raise the bar for potential defenders.
The request-plus and requestspro Packages
Not far behind are the other two packages, request-plus and requestspro. They come armed with capabilities to gather machine data and transmit it to a Command-and-Control (C2) server. The server, in return, sends a token to the infected machine, thereby initiating the next phase of the malware attack.
Typosquatting: The Art of Deception
What makes these Malicious Python Packages in PyPI Repository more dangerous is the attackers' use of typosquatting techniques. They're impersonating legitimate packages like prettytable and requests to catch developers off guard. By misspelling package names or using look-alike characters, they lure developers into mistakenly installing these harmful packages.
North Korean Connections and Token-Based Techniques
The malware campaign adopts a token-based approach, eerily reminiscent of an npm campaign revealed by Phylum in June. This tactic has further raised suspicions of North Korean involvement, supported by GitHub's identification of a threat actor known as Jade Sleet, which also goes by other names such as TraderTraitor and UNC4899.
Multiple Platforms at Risk
The rogue packages don't discriminate based on operating systems. Whether you're on Windows, macOS, or Linux, you're at risk. The malware checks the OS information and alters its infection course accordingly.
Other Notable Malicious Python Packages
It's worth mentioning that there have been other sinister Python packages. One such package is py_QRcode, linked to a different North Korean activity codenamed SnatchCrypto. This package has primarily targeted developers in the cryptocurrency exchange business and has similar functionalities to those found in VMConnect.
Final Thoughts on the Malicious Python Packages in PyPI Repository
The continuous emergence of Malicious Python Packages in PyPI Repository underlines the ever-present risks in the digital realm. It serves as a stark reminder to developers and cybersecurity experts alike that eternal vigilance is the price of digital security.
Further Reading:
- Python's Official Guidelines for Package Security
- ReversingLab's Detailed Report on VMConnect
- GitHub's Analysis on North Korean Cyber Activities
This article seeks to serve as a comprehensive resource on the emergence and threat posed by Malicious Python Packages in PyPI Repository. Let's remain vigilant and stay one step ahead of the attackers.
FAQs
What is the PyPI Repository?
The Python Package Index (PyPI) is a repository of software packages developed by the Python community. These packages may include libraries, frameworks, and tools that can be used to build Python applications.
What are Malicious Python Packages?
Malicious Python packages are rogue or compromised packages in the PyPI repository designed to execute harmful actions, such as data theft or remote control of the infected machine.
How Were These Malicious Packages Discovered?
The malicious Python packages were discovered by ReversingLabs as part of an ongoing software supply chain campaign called VMConnect. The campaign shows signs of North Korean state-sponsored activity.
What is Typosquatting?
Typosquatting is a technique used by bad actors to create Python packages with names very similar to popular ones. The aim is to trick developers into mistakenly downloading the rogue package.
What Does the Package ‘Tablediter' Do?
The ‘tablediter' package is designed to run in an endless execution loop, polling a remote server periodically to retrieve and execute a Base64-encoded payload. The exact nature of the payload is currently unknown.
What Are Request-Plus and Requestspro?
These are two additional rogue packages that have the capability to collect information about the infected machine and transmit it to a command-and-control (C2) server.
What Is a Token-Based Approach?
A token-based approach involves using digital tokens for authentication and session management. In this case, the rogue packages use tokens to communicate with C2 servers covertly.
How Are These Attacks Linked to North Korea?
The code, tactics, and infrastructure used in these attacks overlap with known North Korean cyber operations. This is corroborated by multiple cybersecurity organizations.
Are Multiple Operating Systems Targeted?
Yes, the malicious packages run in Windows, macOS, and Linux environments. The malware adapts its infection flow based on the operating system.
How Can I Protect My System?
Always verify the source and integrity of Python packages before installing them. Keep your security software updated and regularly monitor for unusual system or network activity.
Kevin Bong was formerly the Director of Corporate Security for Johnson Financial Group, and currently works as an Information Assurance Consultant for SynerComm, Inc.Β Kevin has a BS in Physics and Computer Science from Carroll University, an MS in Information Security Engineering from the SANS Institute, and has earned multiple certifications including PMP and GIAC GSE.Β Kevin is also an amateur astronomer, beekeeper, an author and instructor, and a pretty neat dad. Prior to Impulsec, Kevin workedΒ a Penetration Testing “Drop Box” project similar to the Pwnie Express called the MiniPwner.