Lazarus hackers deploy fake VMware PyPI packages in VMConnect attacks

State-sponsored hackers from North Korea have uploaded malicious packages to the PyPI (Python Package Index) repository, disguising one of them as a VMware vSphere connector module named vConnector. These packages were uploaded in early August, with one of them, called VMConnect, specifically targeting IT professionals searching for virtualization tools. During its presence on the PyPI platform, VMConnect garnered 237 downloads. Two more packages, ‘ethter’ and ‘quantiumbase,’ were also published and impersonated popular software projects; they received 253 and 216 downloads, respectively.

A report from ReversingLabs, a software supply chain security company, attributes this campaign to Labyrinth Chollima, a subgroup of North Korean Lazarus hackers. Researchers identified additional packages related to the VMConnect operation, including ‘tablediter’ (736 downloads), ‘request-plus’ (43 downloads), and ‘requestspro’ (341 downloads). These newly discovered packages attempted to pass as tools for editing tables and extensions of the widely used ‘requests’ Python library for making HTTP requests. The hackers added “plus” and “pro” suffixes to make them appear as legitimate versions of the standard package with enhanced capabilities.

The malicious packages retained the original descriptions and exhibited minimal differences in file structure and content, primarily affecting the “init.py” file, which executed a malicious function from ‘cookies.py,’ triggering data collection from infected machines. The collected information was sent to the attacker’s command and control (C2) servers through a POST HTTP request. The C2 server responded with an obfuscated Python module using Base64 and XOR encoding, along with execution parameters. This module also included the download URL for the subsequent payload stage, which researchers were unable to retrieve.

“In line with the previous VMConnect campaign, the associated C2 server did not initially deliver additional commands. Instead, it remained idle until a suitable target was identified, complicating the assessment of the campaign’s complete extent.” – ReversingLabs

hackers: Attribution confidence

“Although they did not conduct a thorough analysis of the final payload, ReversingLabs researchers have gathered sufficient evidence to connect the VMConnect campaign with the well-known North Korean Lazarus APT group. One piece of evidence is the discovery of the ‘builder.py’ file within the malicious packages, which contains the same payload decoding routine identified by Japan’s Computer Security Incident Response Team (JPCERT) in another file named ‘py_Qrcode.’ JPCERT linked this code to another Lazarus subgroup known as DangerousPassword. Additionally, the functionality of ‘QRLog,’ a Java-based malware attributed to Labyrinth Chollima by Crowdstrike with high confidence, closely aligns with that of ‘py_Qrcode.'”