Malicious Python Repository Package Drops Cobalt Strike on Windows, macOS & Linux Systems

  /     /     /  
Publicated : 23/11/2024   Category : security


Malicious Python Repository Package Drops Cobalt Strike on Windows, macOS & Linux Systems


The PyPI pymafka package is the latest example of growing attacker interest in abusing widely used open source software repositories.



Public repositories of open source code are a critical part of the software supply chain that many organizations use to build applications. They are therefore an attractive target for adversaries seeking to distribute malware to a mass audience.
The latest case in point is a malicious package for distributing Cobalt Strike on Windows, macOS, and Linux systems, which was uploaded to the widely used Python Package Index (PyPI) registry for Python application developers. The pymafka package has a name thats very similar to PyKafka, a popular Apache Kafka client for Python that has been downloaded more than 4.2 million times so far.
More than 300 users were
tricked into downloading the malicious package
, thinking it was the legitimate code, before researchers at Sonatype discovered the issue and reported it to the PyPI registry. It has since been removed, but applications that incorporated the malicious script remain a threat.
The number of downloads for the malicious package include automated downloads initiated by mirrors and bots in addition to user-initiated downloads, says Ax Sharma, security researcher at Sonatype.
According to him, downloads involving users mistakenly typing “pymafka” instead of “pykafka”  likely were fewer than 100 in number. Intuitively, it may seem the impact from a typosquatting attack is limited to a single user making the spelling error, he says. But things get complicated when a developer misspells a dependency name in their library, and their library is further being used as a dependency within other third-party software projects, he says. The users of these other applications may then automatically be infected with the typosquatted project, without having taken any action or making a mistake.
The incident marks the second typo-squatting incident involving the Apache Kafka project that Sonatype researchers uncovered this month. Earlier, they discovered a package on PyPI that had the same name as a Kafka-related Python project on GitHub called karaspace. Though the malicious package on PyPI had the same name as the legitimate project, it was designed to steal IP addresses, user names, and other information for fingerprinting devices on which the package was installed.
In a blog Friday, Sonatype described pymafka as designed to detect the platform on which it is installed and then embed an OS-appropriate version of a Cobalt Strike beacon on the device. Cobalt Strike is often used maliciously for lateral movement within a target network environment.  
Sonatype said it observed the executables being downloaded from an IP address associated with cloud-hosting provider Vultr. Once installed on a system, the beacon attempts to communicate with a China-based IP address assigned to Alibaba. 
Less than a third of antivirus engines detected the samples as malicious at the time of our submission to VirusTotal, although thats still a better detection rate than the zero-detections seen in some of our earlier discoveries, according to Sonatype.
The pymafka incident is the latest in a growing number of security incidents involving PyPI and other public repositories. For instance, last November researchers from JFrog discovered
11 malicious Python packages
on PyPI. In July, they discovered malicious PyPI packages attempting to steal credit-card data and other information from some
30,000 systems
on which the packages had been installed. The same month, a Japanese researcher reported a security issue that gave attackers a way to
remotely execute malicious code
on the registry.
Developers are blindly trusting repositories and installing packages from these sources, assuming they are secure, JFrog warned last year. Sometimes malware packages are allowed to be uploaded to the package repository, giving malicious actors the opportunity to use repositories to distribute viruses and launch successful attacks on both developer and [continuous integration/continuous delivery] CI/CD machines in the pipeline.
Concerns over the growing attacker interest in public repositories have prompted
several security initiatives
at PyPI in recent years. These include the
addition of two-factor authentication
as a log-in option and API tokens for uploading software to the registry, a
dependency resolver
to ensure the pip package installer installs the right versions of package dependencies, and
creating databases
of known Python vulnerabilities in PyPI projects.
Concerns over software supply-chain security has prompted other, more strategic initiatives as well. Earlier this month, the National Institute of Standards and Technology (NIST) updated its cybersecurity guidance with
new recommendations
for addressing risks in the software supply chain. MITRE, too, has released a
prototype framework
called System of Trust that organizations can use to evaluate the security practices of service providers and suppliers in the software supply chain.

Last News

▸ Senate wants changes to cybercrime law. ◂
Discovered: 23/12/2024
Category: security

▸ Car Sector Speeds Up In Security. ◂
Discovered: 23/12/2024
Category: security

▸ Making use of a homemade Android army ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Malicious Python Repository Package Drops Cobalt Strike on Windows, macOS & Linux Systems