February 29, 2024 at 03:33AM
North Korean hackers, Lazarus, uploaded four malware-containing packages to PyPI repository, collectively downloaded 3,269 times. The packages, now removed, targeted Python developers by capitalizing on typos during installation. The attack mirrors Phylum’s discovery of rogue npm packages targeting developers. Both campaigns conceal malicious code within test scripts. JPCERT/CC urges caution in installing software.
From the meeting notes, it is evident that the North Korean state-backed hacking group Lazarus has uploaded four malicious packages to the Python Package Index (PyPI) repository with the intention of infecting developer systems with malware. The packages, namely pycryptoenv, pycryptoconf, quasarlib, and swapmempool, have collectively been downloaded 3,269 times, with pycryptoconf having the highest number of downloads at 1,351.
It is notable that these packages were designed to target users’ typos during the installation process, particularly by taking advantage of their similarity to legitimate Python packages such as pycrypto. Additionally, the malicious code is concealed within a test script (“test.py”), which serves as a smokescreen for an XOR-encoded DLL file, ultimately leading to the execution of a malware called Comebacker responsible for establishing connections with a command-and-control (C2) server.
This attack is reminiscent of a previous campaign detailed by Phylum in November 2023, which also leveraged crypto-themed npm modules to deliver Comebacker. JPCERT/CC researcher Shusei Tomonaga has cautioned users to be vigilant during the installation of modules and other software to prevent the inadvertent installation of unwanted packages.
It seems that this development holds significant implications for endpoint security and highlights the importance of thorough vetting of packages and vigilance against such malicious activities.