JFrog researchers have discovered 11 malicious Python packages on PyPI, the official third-party package repository for Python, which have been collectively downloaded over 41,000 times.
This is not the first time that malicious packages have been successfully introduced into online package repositories and will surely not be the last. What’s worrying the researchers is that attackers are using increasingly advanced techniques to avoid detection.
Detection evasion techniques
The malicious packages – importantpackage, important-package, pptest, ipboards, owlmoon, DiscordSafety, trrfab, 10Cent10, 10Cent11, yandex-yt, and yiffparty – steal Discord tokens, establish a reverse shell over HTTP giving the attacker full control over an infected machine, or collect user information and send it via DNS tunneling to a server run by the attackers.
Another technique that some of these malicious Python packages use to evade network-based detection is to use the Fastly content delivery network (CDN) to disguise communications with the C2 server as a communication with pypi.org.
“The PyPI infrastructure is hosted on the Fastly CDN. This hosting uses the Varnish transparent HTTP proxy to cache the communication between clients and the backend. The traffic first goes into a TLS terminator for decryption, so the Varnish proxy can inspect the contents of the HTTP packet. The proxy analyzes the HTTP headers from the user’s request and redirects the request to the corresponding backend according to the Host header. The process then repeats itself in the reverse direction, allowing the malware to imitate duplex communication with PyPI. As a result, the command & control (C2) session is encrypted and signed with a legitimate server certificate, making it indistinguishable from communicating with legitimate PyPI resources,” JFrog researchers explained.
The attackers are also using the TrevorC2 framework to implement a masked command and control client. “Using this framework, the client contacts the server in a way that looks similar to standard website browsing, making the traffic even more obscure,” they noted.
Finally, there is indication that, at least in some cases, the attackers are exploiting dependency confusion to succeed in their intent. (Apiiro recently released Dependency Combobulator, a modular and extensible open source toolkit to detect and prevent dependency confusion attacks.)
“While this set of malicious packages may not have the same ‘teeth’ as our previous discoveries, what’s notable is the increasing level of sophistication with which they are executed. It’s not reaching for your wallet in broad daylight – but there is a lot more subterfuge going on with these packages, and some of them may even be setting up for a follow-up attack after the initial reconnaissance, instead of running a highly-compromising payload to start,” the researchers concluded.
As always, developers are advised to be extra careful when downloading packages from public repositories.
Source of this news: https://www.helpnetsecurity.com/2021/11/22/malicious-python-packages-detection/
Related posts:
Written by Benjamin Freed Monton 30, 2021 | STATESCOOP With more than half of the Oklahoma state government’s request, 000-person workforce still working on their duties remotely in a year's...
Last Reviewed Date: 01/10/2021 This Privacy Policy (“Policy”) describes the information which Times Internet Limited (“We”, “Us”, “Our” “Services”, “Company”) collects from you when you download, acc...
PROSPECTUS Filed Pursuant to Rule 424(b)(4) Registration Statement No. 333-261367 $175,000,000 Spree Acquisition Corp. 1 Limited 17,500,000 Units Spree Acquisition Corp. 1 Limite...
If you’re looking to change your location online and stay a little more private, you may be wondering which is better when it comes to comparing VPN and proxy servers. For the casual user, it mi...
By Jack M. Germain Oct 21, 2021 5:00 AM PT A new fraud ring called Proxy Phantom is using sophisticated credential stuffing attack methods to take over customer accounts for U.S.-based e-commerce me...
A cloud content delivery network (CDN) is a cloud-based globally distributed network of proxy servers installed in multiple data centers. The goal of cloud CDN is to ensure faster delivery of conten...
Chrome is one of the popular browsers offering a seamless browsing experience without complicating things. But it’s prone to throwing issues at users. One of the common issues is when Chrome fails to...
VPNs have become a very popular service over the last decade. With many people waking up to the importance of privacy and data protection, we’ve been seeing more and more VPN providers springing up...
Outspoken actress Rose McGowan has moved to Mexico and says she will never return to live in the USA. Speaking on the YouTube series The Dab Roast, McGowan said she moved to Mexico in early 2020. ...
Our independent reviews and recommendations are funded in part by affiliate commissions, at no extra cost to our readers. Click to Learn More A VPN, Smart DNS and Proxy Server can each provide y...
Dallas Invents is a weekly look at U.S. patents granted with a connection to the Dallas-Fort Worth-Arlington metro area. Listings include patents granted to local assignees and/or those with a N...
Websites have become crucial communications tools for most businesses, especially with the rise of e-commerce. Older ways of advertising and information dissemination are in decline, and sites are be...
Hassan asked David Kessler, haead science officer for the Light colored House’s coronavirus response squad, what steps Congress could take to make sure drugmakers price vaccines and boosters in a...
Particulars Point No . 4: Associations don’t feel confident of the security. A little less than part of surveyed organizations said these are definately very or extremely proficient about the...
Here is a full guide on how to fix the issue of Roblox crashing on Windows 11/10 PC. Roblox is a great gaming platform to play a variety of games. However, a lot of users have complained that Roblox ...
Lincoln unveiled Wednesday at an event in Hollywood its first fully electric concept vehicle: The Lincoln Star Concept, a crossover that looks a lot like a Corsair or Nautilus crossover with a longer...
Searching for German VPS? Buy VPS Server Hosing Plans with Kassel, Deutschland, Berlin, Munich, Dusseldorf, Bremen, Cologne, Hamburg, Leipzig, Nuremberg, Stuttgart based IP offering Linux, Windows,...
A new AdLoad virus attack variant has slipped throughout Apple’s YARA-signed-based XProtect built/in antivirus to infect Apple computers as part of multiple campaigns encountered by cybersecurity fi...
