top of page

Hackers in North Korea add more bad Python packages to the PyPI Repository.

Three more rogue Python programmes were found in the Package Index (PyPI) repository as part of an ongoing malicious software supply chain campaign called VMConnect. There are signs that North Korean state-sponsored threat actors are behind this campaign.

The packages tablediter, request-plus, and requestspro were found by ReversingLabs, which lead to these results.

The company and Sonatype first talked about VMConnect at the beginning of the month. It is a group of Python files that look like popular open-source Python tools and download unknown second-stage malware.

ReversingLabs says that the latest batch is the same, and that bad players are hiding their packages and making them look like they can be trusted by using typosquatting to look like prettytable and requests and confuse developers.

The bad code in tablediter is meant to run in an endless loop where a remote server is occasionally polled to get a Base64-encoded payload and run it. At this point, we don't know what the package is.

One of the biggest changes to tablediter is that it no longer runs the harmful code as soon as the package is installed. This is done so that security software won't find it.

"By waiting until the designated package is imported and its functions are called by the compromised application, they avoid one type of common behavior-based detection and make it harder for would-be defenders," said security expert Karlo Zanki.

The other two packages, request-plus and requestspro, have the ability to collect information about the affected machine and send it to a command-and-control (C2) server.

Safety online

After this step, the server sends back a key, which the infected host sends back to a different URL on the same C2 server. In the end, the infected host gets back a double-encoded Python module and a download URL.

It is thought that the decoded module goes to the URL given and gets the next part of the malware.

There are many connections that lead to North Korea.

Using tokens to stay under the radar is similar to a npm operation that Phylum revealed in June and that has since been linked to North Korean actors. The strikes were done by someone called Jade Sleet, who is also known as TraderTraitor or UNC4899. GitHub is owned by Microsoft.

TraderTraitor is one of North Korea's most well-known cyber weapons used in its "hack for profit" schemes. It has been used for a long time and has been good at hacking cryptocurrency companies and other industries to make money.

Because of the possible links, it's possible that this is a typical way for the bad guys to deliver second-stage malware based on certain filtering criteria.

"The token-based approach is similar in both cases," Zanki told The Hacker News in an emailed statement. "As far as we know, no one else has used it in malware hosted on public package repositories."

The fact that infrastructure overlaps have been found between the npm engineering operation and the JumpCloud hack in June 2023 is also proof of the links to North Korea.

ReversingLabs also said it found a Python package called py_QRcode that has harmful features that are very similar to those in the VMConnect package.

In fact, py_QRcode is said to have been used as the starting point of a different attack chain in late May 2023 that was aimed at developers of cryptocurrency exchange businesses. Last month, JPCERT/CC linked it to another North Korean activity called SnatchCrypto, which is also known as CryptoMimic or DangerousPassword.

"This Python malware runs in Windows, macOS, and Linux environments, and it checks the OS information and changes the infection flow depending on it," the agency said, calling the actor "unique" for going after the developer environment with a variety of platforms.

Another important thing to note is that the attacks on macOS systems ended with the use of JokerSpy, a new backdoor that was discovered for the first time in June 2023.

Not only that. In June 2023, the cybersecurity company SentinelOne described another piece of malware called QRLog. It works the same way as py_QRcode and mentions the name www.git-hub[.]me, which has also been linked to a JokerSpy infection.

Phil Stokes, a security researcher at the time, said that the JokerSpy intrusions showed that a threat actor could write malware that worked in Python, Java, and Swift, and that could target multiple OS systems.

Cybersecurity researcher Mauro Eldritch was the first to find the QRLog malware. He said there is proof that the booby-trapped QR code generator app was made by a group called Labyrinth Chollima, which is part of the well-known Lazarus Group.

"This is just the latest in a long line of attacks on people who use the Python Package Index (PyPI) repository," Zanki said. "Threat actors continue to use the Python Package Index (PyPI) repository as a way to spread their malware."

11 views0 comments


bottom of page