Skip to content Skip to footer

North Korean Hackers Target Developers with Malware-Laden Python Packages

Recently, Lazarus, a notorious state-backed group from North Korea, has been found to have uploaded four packages to the Python Package Index () repository. The intention behind this attack was to infect developer systems with . The affected packages, namely pycryptoenv, pycryptoconf, quasarlib, and swapmempool, have since been taken down. However, they were downloaded collectively 3,269 times, with pycryptoconf accounting for most of the downloads at 1,351.

According to JPCERT/CC researcher Shusei Tomonaga, the package names pycryptoenv and pycryptoconf are very similar to pycrypto, which is a Python package used for encryption algorithms in Python. Thus, it is highly likely that the attacker targeted users' typos in installing Python packages to ensure the -containing packages were downloaded.

Interestingly, this discovery comes just days after Phylum uncovered several rogue packages on the registry. These packages were used to single out software as part of a campaign named Contagious Interview. It is worth noting that both attacks have a commonality in that the malicious code is concealed within the test (“test.py”). In this recent attack, the test file was used as a smokescreen for an XOR-encoded DLL file, creating two DLL files named IconCache.db and NTUSER.DAT.

The attack sequence then uses NTUSER.DAT to load and execute IconCache.db, a called Comebacker, which establishes connections with a command-and-control (C2) server to fetch and run a executable file.

JPCERT/CC has stated that these packages continue a campaign that Phylum first detailed in November 2023. This campaign leverages crypto-themed modules to deliver Comebacker. Tomonaga has advised users to be cautious while installing modules and other software in their development environment to avoid installing unwanted packages.

Leave a comment

Newsletter Signup
Address

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

- Phreak: So, uh, what's your interest in Kate Libby, eh? Academic? Purely sexual?
- Dade: Homicidal.
Phreak and Dade

Deitasoft © 2024. All Rights Reserved.