North Korean Hackers Deploy New Malicious Python Packages in PyPI Repository

In the PyPI repository, three additional unauthorized Python packages have been unearthed within an ongoing malicious software supply chain operation known as VMConnect. There are indications pointing toward the involvement of state-sponsored threat actors from North Korea.

These discoveries have been made by ReversingLabs, who identified the packages as tablediter, request-plus, and requestspro.

VMConnect, initially disclosed earlier this month by ReversingLabs and Sonatype, comprises a collection of Python packages that emulate well-known open-source Python tools. They serve as a means to facilitate the download of an undisclosed second-stage malware.

The most recent set of packages follows a similar pattern, with PyPI ReversingLabs observing that the malevolent actors are camouflaging their packages. They employ typosquatting techniques to mimic popular packages like prettytable and requests, thereby sowing confusion among developers.

Within the tablediter package, there exists malicious code designed to operate in an infinite execution loop. Periodically, it contacts a remote server to fetch and execute a Base64-encoded payload. The precise nature of this payload remains unknown.

A noteworthy modification in tablediter is its avoidance of triggering malicious code immediately upon package installation. This adjustment is aimed at evading detection by security software. Instead, the malicious code activates when the designated package is imported and its functions are invoked by the compromised application.

Security researcher Karlo Zanki commented, “By delaying execution until the designated package is imported and its functions are called by the compromised application, they circumvent a common form of behavior-based detection and raise the bar for potential defenders.”

The other two packages, request-plus and requestspro, possess the capability to gather information from the compromised system and transmit it to a command-and-control (C2) server. Subsequently, the C2 server responds by providing a token, which the infected host sends to a different URL on the same C2 server. In return, the host receives a double-encoded Python module and a download URL. It is suspected that the decoded module retrieves the next stage of the malware from the provided URL.

This approach, using tokens to remain inconspicuous, bears a resemblance to an npm campaign revealed by Phylum in June, which has since been linked to North Korean actors. Microsoft-owned GitHub attributed these attacks to a threat actor it refers to as Jade Sleet, also known as TraderTraitor or UNC4899. TraderTraitor is a prominent cyber weapon utilized by North Korea for profit-oriented schemes, with a history of successful targeting of cryptocurrency companies and other sectors for financial gain.

The potential connections between these incidents suggest that this token-based approach may be a shared tactic among these adversaries. They seem to use it to selectively deliver second-stage malware based on specific filtering criteria.

Karlo Zanki noted, “The token-based approach is a similarity […] in both cases and has not been used by other actors in malware hosted on public package repositories as far as we know,” in an email statement to The Hacker News.

The links to North Korea are supported by the discovery of infrastructure overlaps between the npm engineering campaign and the JumpCloud hack that occurred in June 2023.

Furthermore, ReversingLabs has reported the discovery of a Python package named py_QRcode, which exhibits malicious functionality remarkably similar to that found in the VMConnect package. Interestingly, py_QRcode appears to have been employed as the initial element in a distinct attack chain aimed at developers of cryptocurrency exchange businesses in late May 2023. Last month, JPCERT/CC attributed this activity to another North Korean campaign known as SnatchCrypto (also referred to as CryptoMimic or DangerousPassword).

This Python-based malware is versatile, capable of operating on Windows, macOS, and Linux systems. It actively checks the host’s operating system information and adjusts its infection strategy accordingly. This adaptability sets the threat actor apart, as it targets the developer environment across a range of platforms.

Another noteworthy development is the conclusion of attacks on macOS systems, resulting in the deployment of a novel backdoor called JokerSpy, which initially came to light in June 2023.

That’s not all; in June 2023, cybersecurity firm SentinelOne detailed another malware strain named QRLog, exhibiting identical functionality to py_QRcode. QRLog references the domain www.git-hub[.]me, which has also been associated with JokerSpy infections.

Security researcher Phil Stokes remarked on the JokerSpy intrusions, highlighting the threat actor’s ability to create functional malware using several programming languages, including Python, Java, and Swift, and effectively target various operating system platforms.

Cybersecurity researcher Mauro Eldritch, the initial discoverer of QRLog malware, has suggested that the booby-trapped QR code generator application could be the handiwork of an adversary known as Labyrinth Chollima, a sub-cluster within the notorious Lazarus Group.

In summary, these incidents underscore a continuous pattern of malicious attacks aimed at users of the PyPI repository, with threat actors persistently utilizing it as a distribution point for their malware.

Attention: CLICK HERE to follow our facebook page