www.reversinglabs.com
Open in
urlscan Pro
2606:2c40::c73c:671f
Public Scan
URL:
https://www.reversinglabs.com/blog/attackers-leverage-pypi-to-sideload-malicious-dlls
Submission: On February 21 via api from DE — Scanned from DE
Submission: On February 21 via api from DE — Scanned from DE
Form analysis
3 forms found in the DOM/hs-search-results
<form action="/hs-search-results" class="modal__form" data-hs-cf-bound="true">
<input type="text" class="hs-search-field__input hs-search-field__input--modal" name="term" autocomplete="off" aria-label="Search" placeholder="Search reversinglabs.com">
<input type="hidden" name="type" value="SITE_PAGE">
<input type="hidden" name="type" value="LANDING_PAGE">
<input type="hidden" name="type" value="BLOG_POST">
<input type="hidden" name="type" value="LISTING_PAGE">
<button aria-label="Search" class="modal__search-button"><span class="ico search"></span></button>
</form>
/hs-search-results
<form action="/hs-search-results" class="hs-search-field__bar-form" data-hs-cf-bound="true">
<input type="text" class="hs-search-field__input hs-search-field__input--results" name="term" autocomplete="off" aria-label="Search" placeholder="Search">
<input type="hidden" name="type" value="SITE_PAGE">
<input type="hidden" name="type" value="LANDING_PAGE">
<input type="hidden" name="type" value="BLOG_POST">
<input type="hidden" name="type" value="LISTING_PAGE">
<input type="hidden" name="limit" value="100">
<button aria-label="Search" class="hs-search-field__button cta cta--default cta--red"><span class="ico search ico--24"></span></button>
</form>
POST https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/3375217/24abef2a-a2f4-4889-8899-dd4026584fa9
<form id="hsForm_24abef2a-a2f4-4889-8899-dd4026584fa9_4265" method="POST" accept-charset="UTF-8" enctype="multipart/form-data" novalidate=""
action="https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/3375217/24abef2a-a2f4-4889-8899-dd4026584fa9"
class="hs-form-private hsForm_24abef2a-a2f4-4889-8899-dd4026584fa9 hs-form-24abef2a-a2f4-4889-8899-dd4026584fa9 hs-form-24abef2a-a2f4-4889-8899-dd4026584fa9_5d05e944-1b57-4b15-90b4-df785a7c60df hs-form stacked hs-custom-form"
target="target_iframe_24abef2a-a2f4-4889-8899-dd4026584fa9_4265" data-instance-id="5d05e944-1b57-4b15-90b4-df785a7c60df" data-form-id="24abef2a-a2f4-4889-8899-dd4026584fa9" data-portal-id="3375217"
data-test-id="hsForm_24abef2a-a2f4-4889-8899-dd4026584fa9_4265" data-hs-cf-bound="true">
<div class="hs_email hs-email hs-fieldtype-text field hs-form-field"><label id="label-email-24abef2a-a2f4-4889-8899-dd4026584fa9_4265" class="" placeholder="Enter your " for="email-24abef2a-a2f4-4889-8899-dd4026584fa9_4265"><span></span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input id="email-24abef2a-a2f4-4889-8899-dd4026584fa9_4265" name="email" required="" placeholder="Email*" type="email" class="hs-input" inputmode="email" autocomplete="email" value=""></div>
</div>
<div class="hs_leadsource hs-leadsource hs-fieldtype-select field hs-form-field smart-field" style="display: none;"><label id="label-leadsource-24abef2a-a2f4-4889-8899-dd4026584fa9_4265" class="" placeholder="Enter your Lead source"
for="leadsource-24abef2a-a2f4-4889-8899-dd4026584fa9_4265"><span>Lead source</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="leadsource" class="hs-input" type="hidden" value="Website"></div>
</div>
<div class="hs_utm_campaign hs-utm_campaign hs-fieldtype-text field hs-form-field" style="display: none;"><label id="label-utm_campaign-24abef2a-a2f4-4889-8899-dd4026584fa9_4265" class="" placeholder="Enter your utm_campaign"
for="utm_campaign-24abef2a-a2f4-4889-8899-dd4026584fa9_4265"><span>utm_campaign</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="utm_campaign" class="hs-input" type="hidden" value=""></div>
</div>
<div class="hs_utm_content hs-utm_content hs-fieldtype-text field hs-form-field" style="display: none;"><label id="label-utm_content-24abef2a-a2f4-4889-8899-dd4026584fa9_4265" class="" placeholder="Enter your utm_content"
for="utm_content-24abef2a-a2f4-4889-8899-dd4026584fa9_4265"><span>utm_content</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="utm_content" class="hs-input" type="hidden" value=""></div>
</div>
<div class="hs_utm_medium hs-utm_medium hs-fieldtype-text field hs-form-field" style="display: none;"><label id="label-utm_medium-24abef2a-a2f4-4889-8899-dd4026584fa9_4265" class="" placeholder="Enter your utm_medium"
for="utm_medium-24abef2a-a2f4-4889-8899-dd4026584fa9_4265"><span>utm_medium</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="utm_medium" class="hs-input" type="hidden" value=""></div>
</div>
<div class="hs_utm_source hs-utm_source hs-fieldtype-text field hs-form-field" style="display: none;"><label id="label-utm_source-24abef2a-a2f4-4889-8899-dd4026584fa9_4265" class="" placeholder="Enter your utm_source"
for="utm_source-24abef2a-a2f4-4889-8899-dd4026584fa9_4265"><span>utm_source</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="utm_source" class="hs-input" type="hidden" value=""></div>
</div>
<div class="hs_utm_term hs-utm_term hs-fieldtype-text field hs-form-field" style="display: none;"><label id="label-utm_term-24abef2a-a2f4-4889-8899-dd4026584fa9_4265" class="" placeholder="Enter your utm_term"
for="utm_term-24abef2a-a2f4-4889-8899-dd4026584fa9_4265"><span>utm_term</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="utm_term" class="hs-input" type="hidden" value=""></div>
</div>
<div class="hs_recaptcha hs-recaptcha field hs-form-field">
<div class="input">
<div class="grecaptcha-badge" data-style="inline"
style="width: 256px; height: 60px; position: fixed; visibility: hidden; display: block; transition: right 0.3s ease 0s; bottom: 14px; right: -186px; box-shadow: gray 0px 0px 5px; border-radius: 2px; overflow: hidden;">
<div class="grecaptcha-logo"><iframe title="reCAPTCHA" width="256" height="60" role="presentation" name="a-wwepzm9mg3g6" frameborder="0" scrolling="no"
sandbox="allow-forms allow-popups allow-same-origin allow-scripts allow-top-navigation allow-modals allow-popups-to-escape-sandbox allow-storage-access-by-user-activation"
src="https://www.google.com/recaptcha/enterprise/anchor?ar=1&k=6Ld_ad8ZAAAAAAqr0ePo1dUfAi0m4KPkCMQYwPPm&co=aHR0cHM6Ly93d3cucmV2ZXJzaW5nbGFicy5jb206NDQz&hl=en&v=1kRDYC3bfA-o6-tsWzIBvp7k&size=invisible&badge=inline&cb=5enmqxgl9av9"></iframe>
</div>
<div class="grecaptcha-error"></div><textarea id="g-recaptcha-response" name="g-recaptcha-response" class="g-recaptcha-response"
style="width: 250px; height: 40px; border: 1px solid rgb(193, 193, 193); margin: 10px 25px; padding: 0px; resize: none; display: none;"></textarea>
</div><iframe style="display: none;"></iframe>
</div><input type="hidden" name="g-recaptcha-response" id="hs-recaptcha-response" value="">
</div>
<div class="hs_submit hs-submit">
<div class="hs-field-desc" style="display: none;"></div>
<div class="actions"><input type="submit" class="hs-button primary large" value="Submit"></div>
</div><input name="hs_context" type="hidden"
value="{"embedAtTimestamp":"1708529992951","formDefinitionUpdatedAt":"1702042874752","lang":"en","clonedFromForm":"ce383929-448d-4186-b8e8-0851a2285f27","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.57 Safari/537.36","pageTitle":"Attackers leverage PyPI to sideload malicious DLLs","pageUrl":"https://www.reversinglabs.com/blog/attackers-leverage-pypi-to-sideload-malicious-dlls","pageId":"157537033740","isHubSpotCmsGeneratedPage":true,"canonicalUrl":"https://www.reversinglabs.com/blog/attackers-leverage-pypi-to-sideload-malicious-dlls","contentType":"blog-post","hutk":"7006f25eb6ff3d69235c4b3205b8b1ba","__hsfp":696607268,"__hssc":"60854195.1.1708529993870","__hstc":"60854195.7006f25eb6ff3d69235c4b3205b8b1ba.1708529993870.1708529993870.1708529993870.1","formTarget":"#hs_form_target_form_388871387","formInstanceId":"4265","rawInlineMessage":"<p>Thanks for subscribing to our blog series.&nbsp; You will receive an email every Monday with our latest blog posts.</p>","hsFormKey":"6c29c4fda044c76c974de232f740e02d","pageName":"Attackers leverage PyPI to sideload malicious DLLs","rumScriptExecuteTime":590.4000005722046,"rumTotalRequestTime":785.9000005722046,"rumTotalRenderTime":827.3000001907349,"rumServiceResponseTime":195.5,"rumFormRenderTime":41.39999961853027,"connectionType":"4g","firstContentfulPaint":0,"largestContentfulPaint":0,"locale":"en","timestamp":1708529993876,"originalEmbedContext":{"portalId":"3375217","formId":"24abef2a-a2f4-4889-8899-dd4026584fa9","region":"na1","target":"#hs_form_target_form_388871387","isBuilder":false,"isTestPage":false,"isPreview":false,"formInstanceId":"4265","formsBaseUrl":"/_hcms/forms","css":"","inlineMessage":"<p>Thanks for subscribing to our blog series.&nbsp; You will receive an email every Monday with our latest blog posts.</p>","isMobileResponsive":true,"rawInlineMessage":"<p>Thanks for subscribing to our blog series.&nbsp; You will receive an email every Monday with our latest blog posts.</p>","hsFormKey":"6c29c4fda044c76c974de232f740e02d","pageName":"Attackers leverage PyPI to sideload malicious DLLs","pageId":"157537033740","contentType":"blog-post","formData":{"cssClass":"hs-form stacked hs-custom-form"},"isCMSModuleEmbed":true},"correlationId":"5d05e944-1b57-4b15-90b4-df785a7c60df","renderedFieldsIds":["email","leadsource","utm_campaign","utm_content","utm_medium","utm_source","utm_term"],"captchaStatus":"LOADED","emailResubscribeStatus":"NOT_APPLICABLE","isInsideCrossOriginFrame":false,"source":"forms-embed-1.4733","sourceName":"forms-embed","sourceVersion":"1.4733","sourceVersionMajor":"1","sourceVersionMinor":"4733","allPageIds":{"embedContextPageId":"157537033740","analyticsPageId":"157537033740","contentPageId":157537033740,"contentAnalyticsPageId":"157537033740"},"_debug_embedLogLines":[{"clientTimestamp":1708529993038,"level":"INFO","message":"Retrieved customer callbacks used on embed context: [\"getExtraMetaDataBeforeSubmit\"]"},{"clientTimestamp":1708529993038,"level":"INFO","message":"Retrieved pageContext values which may be overriden by the embed context: {\"pageTitle\":\"Attackers leverage PyPI to sideload malicious DLLs\",\"pageUrl\":\"https://www.reversinglabs.com/blog/attackers-leverage-pypi-to-sideload-malicious-dlls\",\"userAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.57 Safari/537.36\",\"pageId\":\"157537033740\",\"contentAnalyticsPageId\":\"157537033740\",\"contentPageId\":157537033740,\"isHubSpotCmsGeneratedPage\":true}"},{"clientTimestamp":1708529993039,"level":"INFO","message":"Retrieved countryCode property from normalized embed definition response: \"DE\""},{"clientTimestamp":1708529993873,"level":"INFO","message":"Retrieved analytics values from API response which may be overriden by the embed context: {\"hutk\":\"7006f25eb6ff3d69235c4b3205b8b1ba\",\"canonicalUrl\":\"https://www.reversinglabs.com/blog/attackers-leverage-pypi-to-sideload-malicious-dlls\",\"contentType\":\"blog-post\",\"pageId\":\"157537033740\"}"}]}"><iframe
name="target_iframe_24abef2a-a2f4-4889-8899-dd4026584fa9_4265" style="display: none;"></iframe>
</form>
Text Content
slide 2 of 3 Gartner® Report: Mitigate Enterprise Software Supply Chain Risks Get the Insights New! The Buyer’s Guide to Software Supply Chain Security Download Now! WEBINAR: Know When Your Software Is Malware | The New Era of Software Supply Chain Security REGISTER NOW Gartner® Report: Mitigate Enterprise Software Supply Chain Risks Get the Insights New! The Buyer’s Guide to Software Supply Chain Security Download Now! Solutions SOFTWARE SUPPLY CHAIN SECURITY Spectra Assure for Procurement Spectra Assure for Build & Release AUTOMATE SOC SUPPORT Triage Incident Response SIEM/SOAR Protect Cloud File Shares OPTIMIZE THREAT HUNTING Ransomware Feed Malware Lab Threat Hunting Sandbox Email EDR Threat Intelligence Platform Threat Intelligence Platform for Microsoft Sentinel Product & Technology PRODUCT & TECHNOLOGY Titanium Platform Spectra Assure for Software Supply Chain Security ReversingLabs Threat Intelligence ReversingLabs Elastic Threat Infrastructure ReversingLabs Threat Analysis & Hunting Free: Open Source Yara Rules Integrations Why RL? Partners PARTNERS Become A Partner Value Added Partners Marketplaces ALLIANCES ReversingLabs And Synopsys Resources RESOURCES Blog Content Library Webinars Software Deconstruction Demo Series ReversingGlass: Concepts Explained ConversingLabs Podcast From the Labs: YARA Rules DEMO Videos Learning with ReversingLabs Company COMPANY About Us Leadership Careers Series B Investment Company News EVENTS Events PRESS Press Releases In the News Demo Contact Us Support Login Blog Developer Portal Search REVERSINGLABS BLOG Threat Research | February 20, 2024 ATTACKERS LEVERAGE PYPI TO SIDELOAD MALICIOUS DLLS RL DISCOVERED TWO MALICIOUS PACKAGES AND A SUBSEQUENT LARGER CAMPAIGN, SHOWING THAT THE APPROACH IS AN EMERGING SOFTWARE SUPPLY CHAIN ATTACK METHOD. Blog Author Petar Kirhmajer, Threat Researcher, ReversingLabs. Read More... * * * * ReversingLabs researchers have observed a clear trend in which open-source platforms and code have become the stage for a growing and diverse range of malicious activity and campaigns. This trend includes hosting malicious command-and-control (C2) infrastructure, storing stolen data, and delivering second- and third- stage malware including downloaders and rootkit programs. The team's most recent discovery suggests that trend is continuing in 2024. On January 10, ReversingLabs reverse engineer Karlo Zanki discovered two suspicious packages on the open-source package manager Python Package Index (PyPI). The packages, NP6HelperHttptest and NP6HelperHttper, were observed using DLL sideloading, a well-documented technique that malicious actors use to execute code without attracting the attention of security monitoring tools. The latest discovery is an example of DLL sideloading executed by an open-source package that suggests the scope of software supply chain threats is expanding. Here is how the two packages were discovered — and key implications for both development teams and end-users. DISCUSSION One of the biggest challenges to developers who rely on open source code (and that is pretty much every developer) is assessing the quality and reliability of what they find online. The open-source ecosystem is vast and diverse, with a constantly shifting landscape made up of new software modules and actively managed code, not to mention the long, long tail of loosely managed, inactive, or obsolete open source code. Complicating matters for developers, there is no common identity or reputation provider for open-source modules. That makes it easy for malicious actors, with minimum effort, to insert themselves and their wares into otherwise legitimate software supply chains. As ReversingLabs has documented, typosquatting and repojacking attacks are two common methods of doing this, with malicious actors floating malicious look-alike packages for active or abandoned open-source modules in the hopes of fooling developers into incorporating them into their applications. But there are even more subtle ways to infiltrate legitimate applications, as ReversingLabs' latest discovery shows. This discovery happened as a result of our standard monitoring of open-source repositories for packages with specific combinations of suspicious behaviors. In this case, our platform was looking for network communication features hidden in the setup.py file. That scan turned up the two malicious PyPI packages, NP6HelperHttptest and NP6HelperHttper. With further investigation, it became clear that the targets of those files were two existing, legitimate PyPI packages: NP6HelperHttp and NP6HelperConfig. These are helper tools originally published by a PyPI developer with the username NP6. If that name sounds familiar, it is because NP6 is also a marketing-automation tool developed by the firm Chapvision. However, the NP6 PyPI account is not an official Chapvision account. Instead, it is a personal account linked to a Chapvision developer. It is unclear whether the company was aware of the existence of that account or the NP6HelperHttp and NP6HelperConfig tools. However, when informed about the existence of the packages, Chapvision confirmed to ReversingLabs that the helper tools were published by one of their employees. Around the same time, those packages were removed from PyPI. The malicious packages uncovered, NP6HelperHttptest and NP6HelperHttper, employ typosquatting, using names that are nearly identical to one of the legitimate NP6 packages. The goal is to fool developers into downloading and opening the malicious wares, thereby facilitating further attacker access, as explained below. Zanki said the blurring of lines that separate official from unofficial or even malicious packages poses a major challenge to development organizations. > “Development organizations need to be aware of the threats related to supply > chain security and open-source package repositories. They also need to be > proactive about supply chain security. Even if they are not using open-source > package repositories, that doesn't mean that threat actors won't abuse them to > impersonate companies and their software products and tools." > —Karlo Zanki > > Several open-source package repositories offer features to counter issues such > as the one raised by the NP6 account. For example, both the npm and NuGet > package managers allow publishers to register package or username prefixes > (such as NP6) without the need to publish any content. That can prevent easy > impersonation attacks that float malicious packages. “Think of it like > registering a domain name, to prevent others from registering it before you," > Zanki said. MALICIOUS SCRIPT ABUSING DLL SIDELOADING Close examination of the malicious packages by ReversingLabs revealed that both contain a setup.py script, which extends setuptools commands with custom code designed to download two files: * ComServer.exe, a legitimate file from Beijing-based Kingsoft Corp., and properly signed with a valid certificate belonging to the same company. * dgdeskband64.dll, a malicious file that downloads and runs a stage-two payload. Figure 1: setup.py - Downloading the files Hiding malicious code in setup.py is a strategy that RL researchers have seen employed in previous attacks, including a December 2023 campaign. In that instance, custom setuptools commands were used to decode a Base64 encoded URL and fetch malicious, Base64-encoded Python commands that were then executed in a new process. In this latest campaign, the setup.py Python script downloads the ComServer.exe and dgdeskband64.dll files, and then executes the signed file ComServer.exe in a new process. ComServer.exe is a legitimate software application that is a part of the larger DriverGenius software package, a popular driver management tool. One of the purposes of ComServer.exe is to load a library, dgdeskband64.dll, and invoke its exported function Dllinstall, which is used to install a specified module inside the named software. The catch: The version of dgdeskband64.dll included in the malicious packages is not the legitimate version of the library that ComServer is expecting to find on the system where it is executed. Instead, the threat actor crafted their own version of dgdeskband64.dll to facilitate the attack, with the same Dllinstall export function as the legitimate Dgdeskband64.dll library. As the graphic below shows, the malicious dgdeskband64.dll contains only one exported function, rather than five. Figure 2: Different exports for the legit and malicious dll DLL sideloading is a well-documented hacking technique used by both cybercriminal and nation-state actors to load malicious code while evading detection. In one prominent example, the North Korea-linked Lazarus Group used DLL sideloading to replace an internal IDA Pro library, win_fw.dll, with a malicious DLL to download and execute a payload. DLL sideloading also isn’t novel in the context of open-source software attacks. In February 2023, for example, RL researcher Lucija Valentić wrote about her discovery of Aabquerys, a malicious npm package that employed typosquatting on a legitimate npm module to carry out DLL sideloading of malicious components. In that campaign, malicious actors targeted a Windows PE (portable executable) file, wsc_proxy.exe, which is known to be vulnerable to the sideloading attacks. It has been involved in a number of malware campaigns. The malicious Aabquerys package, when executed, placed a dll file named wsc.dll with an exported function named run in the same folder as wsc_proxy.exe. When the legitimate wsc_proxy.exe executable is launched, it would invoke the run method from the sideloaded, malicious wsc.dll. That DLL then downloaded a third-stage malicious component, Demon.bin, from an external command and control site. In the case of the new PyPI DLL examples, sideloading was used to avoid detection of the malicious code, as was the case with Aabquerys. Specifically, that was carried out by loading malicious code located in an unsigned (and therefore untrusted) DLL from the context of a signed PE executable. With this method the attackers lower the risk that their malicious code will be detected by security tools. Figure 3: Malware infection stages DLLINSTALL BRINGS MALICIOUS FUNCTIONALITY Looking closer at the various elements of this attack, it's clear that execution of the malicious code is achieved by registering an exception handler inside the Dllinstall export function. An exception handler is a common component of modern operating systems that manages exceptions encountered by running processes according to policies that are specific to the operating system in question. Actions could range from displaying an error message, to terminating the program generating the exception. In the case of this malicious campaign, however, the exception handler is used to pass along malicious code. Specifically, after the exception handler is registered, the program enters a loop where it divides numbers until division by zero happens, causing an exception and inherently transferring the code flow to the malicious subroutine. The subroutine then establishes a connection with an external server (hxxps://us.archive-ubuntu.top/components/an.gif?type=lastest) and downloads an.gif. That action would not appear suspicious. However, the downloaded file is not a GIF file at all, but a payload file, x86_64 shellcode. Once downloaded, the shellcode is streamed to memory and the execution is then redirected to it through a callback registered for the NotifyIpInterfaceChange function. As with DLL sideloading, this method of abusing windows APIs to execute shellcode is not new. It has been observed and documented by researchers for close to 10 years. ANALYZING THE SHELLCODE Taking a look at the shellcode in question: we can see that it is encrypted using a simple XOR encryption with a moving key (Figure 4). Figure 4: Shellcode decryption routine After decrypting it, RL discovered traces of a PE file (Figure 5). The string “MZARUH'' appears in a place where the PE magic string “MZ\x90\x00” normally appears. Just that string alone is a good indicator that this is a Cobalt Strike Beacon. Cobalt Strike is a security tool designed for red teams to aid in their penetration testing tasks. However, as with any tool (especially the ones designed for red teams), threat actors can leverage it without investing too much effort into building similar tools themselves. [ See Webinar: How Cobalt Strike is weaponized against organizations ] The portable executable (PE) file that was decrypted was located just after the decryption routine, so it starts executing it right after it gets decrypted. The reason “MZARUH” is here instead of the normal PE magic string is that the CPU is trying to execute the bytes that make up that string. Coincidentally or intentionally, the string MZARUH and the data coming after it make up valid assembly instructions which can be executed normally. Figure 5: Hex-view after decrypting and traces of a PE file EVIDENCE POINTS TO A WIDER CAMPAIGN Is this latest discovery a single instance or a part of a bigger campaign? The ReversingLabs Titanium Platform helps answer that question. Using ReversingLabs’ YARA Retro Hunt, RL researchers looked back in time to find other packages that share characteristics with previously discovered malicious packages. Retro Hunt scans all samples uploaded to RL's Titanium Cloud over the last three months and allows organizations to match them against a specific YARA rule. In this case, the RL research team wrote a YARA rule to look for either the malicious C2 domain (us.archive-ubuntu.top) or the headers and user-agent used to download the fake dgdeskband64.dll and used that to perform a retro hunt, which turned up another sample that appears to be part of this campaign. Figure 6: A1000 retrohunt matches This second sample that turned up in Retro Hunt is also a DLL, but it is not exploiting DriverGenius’ ComServer.exe to load a DLL. Instead, it uses a different pair, including an .exe and target DLL, windowsaccessbridge-64.dll. Still, the functionality is identical, and the same URL downloads the same payload as the other PyPI packages, suggesting that this sample is part of the same campaign. The ReversingLabs Titanium Platform can also display the sources of analyzed samples, providing even more insight into the packages. Analyzing that data, it appears that the top level container for the second discovered sample is a zip archive that contains the .exe and target DLL, windowsaccessbridge-64.dll. Similarly, using the RL platform to check the sources for the top level container yielded a Titanium Cloud Service source match: the zip file was downloaded from the web location hxxps://cdn.0c.sk/1101012.zip. That web location has been spotted in Titanium Cloud Services previously in connection with a malicious .NET sample. That .NET sample was observed downloading a ZIP file (hxxps://cdn.0c.sk/1101012.zip), which extracted an .exe file from the archive along with the malicious windowsaccessbridge-64.dll. It then launched the exe, which performs DLL sideloading in an identical fashion as the NP6HelperHttptest and NP6HelperHttper PyPI packages that initially caught the RL research team's attention. Furthermore, the .NET sample was self signed using a certificate issued to “Sex Shop SRL” (cert-serial:e3214c81339540a3804fca656f5aea7d). Data from the RL platform shows that this is not the first time this certificate was used to sign malware. In fact, ReversingLabs has samples signed with that same certificate that date as far back as June 2022. Taken together, the data strongly supports the conclusion that the newly discovered PyPI packages are a part of the same campaign as the .NET sample, which implied that these packages are not a final act. Expect to see more malicious activity from this threat actor. CONCLUSION As this latest discovery shows, malicious actors at all levels of sophistication are increasingly turning to open source code and related infrastructure such as package managers to further their malicious campaigns. As they develop the tools and techniques threat actors deploy are becoming more diverse. Bad actors that might have previously turned to well-tested techniques such as spearphishing to lure their targets into installing malware are adapting their methods. Planting malware in open-source package repositories and then waiting to see who downloads and uses the compromised code is proving to be a popular choice for malicious cyber-actors, who are increasingly using subtle means to insert their malicious wares into software supply chains. The emergence of DLL sideloading attacks are one clear example of this emerging attack vector. These attacks have been used for years by threat actors to increase their leverage and control within compromised environments while escaping detection, but less often seen in attacks leveraging open-source packages. This report suggests that may be changing. The discovery of these two malicious PyPI packages, as well as the subsequent discovery of a larger campaign and additional, malicious packages proves that threat actors are warming to the use of DLL sideloading to further software supply chain attacks — and inflict harm on both software producers and enterprises that rely on them. Over time, that is increasing pressure on both software producers and organizations to monitor the security and integrity of their software supply chain and the software packages that flow out of that supply chain. INDICATORS OF COMPROMISE (IOCS) Indicators of compromise (IoCs) are forensic artifacts or evidence related to a security breach or unauthorized activity on a computer network or system. IoCs play a crucial role in cybersecurity investigations and cyber-incident response efforts, helping analysts and cybersecurity professionals identify and detect potential security incidents. The following IOCs were collected as part of ReversingLabs' investigation of this software supply chain campaign. PyPI packages: package_name version SHA1 NP6HelperHttptest 0.1 1fc236e94b54d3ddc4b2afb8d44a19abd7cf0dd4 NP6HelperHttptest 0.2 dfc8afe5cb7377380908064551c9555719fd28e3 NP6HelperHttptest 0.3 73ece3d738777e791035e9c0c94bf4931baf3e3a NP6HelperHttptest 0.4 e3a7098e3352fdbb5ff5991e9e10dcf3b43b1b86 NP6HelperHttptest 0.5 575bcc28998ad388c2ad2c2ebc74ba583f5c0065 NP6HelperHttptest 0.6 a1bb4531ce800515afa1357b633c73c27fa305cf NP6HelperHttper 0.1 a65bce340366f724d444978dcdcd877fa2cacb1c Additional Indicators: description URI Domain that’s hosting the malicious dll https://fus.rngupdatem.buzz Domain that’s hosting the shellcode payload Us.archive-ubuntu.top name type SHA1 dgdeskband.dll PE/dll 1f9fcf86a56394a7267d85ba76c1256d12e3e76b windowsaccessbridge-64.dll PE/dll 84c75536b279a85a5320f058514b884a016bc8c8 an.gif shellcode 2dc80f45540d0a3ea33830848fcf529f98ea2f5e Get up to speed on key trends and understand the landscape with The State of Software Supply Chain Security 2024. Plus: Learn about ReversingLabs Spectra Assure for software supply chain security. KEEP LEARNING * Update your understanding: Buyer's Guide for Software Supply Chain Security * Join the Webinar: Why you need to upgrade your AppSec for the new era * Get the report and take action: The State of Supply Chain Security 2024 * Join the discussion: State of Software Supply Chain Security Webinar * See Gartner's guidance on managing software supply chain risk * Tags: * Threat Research MORE BLOG POSTS Security Operations February 21, 2024 4 WAYS HERO CULTURE IS KILLING YOUR SECURITY PROGRAM'S EFFECTIVENESS Learn why hero culture is a problem — and how companies and the industry can avoid its negative effects and develop more resilient security operations. Read More Threat Research February 20, 2024 ATTACKERS LEVERAGE PYPI TO SIDELOAD MALICIOUS DLLS RL discovered two malicious PyPI packages and a larger subsequent campaign of packages — highlighting that DLL sideloading is an emerging method for software supply chain attacks. Read More AppSec & Supply Chain Security February 15, 2024 COMPLEXITY AND SOFTWARE SUPPLY CHAIN SECURITY: 5 KEY SURVEY TAKEAWAYS A new report from Enterprise Strategy Group highlights key challenges stemming from the complexity of modern software development. Here are key takeaways. Read More TOPICS * All Blog Posts * AppSec & Supply Chain Security * Dev & DevSecOps * Threat Research * Security Operations * Products & Technology * Company & Events FOLLOW US * X * YouTube * LinkedIn SUBSCRIBE Get the best of RL Blog delivered to your in-box weekly to stay up to date on key trends, analysis and best practices across threat intelligence and software supply chain security. Lead source utm_campaign utm_content utm_medium utm_source utm_term SPECIAL REPORTS * The State of Software Supply Chain Security 2024 January 16, 2024 LATEST BLOG POSTS The State of Open Source Software Security Conversations About Threat Hunting and Software Supply Chain Security RG: Tampering Glassboard conversations with ReversingLabs Field CISO Matt Rose Software Package Deconstruction: Video Conferencing Software Analyzing Risks To Your Software Supply Chain SOFTWARE SUPPLY CHAIN SECURITY HOTLINE If you need immediate assistance with a software supply chain security issue, you can contact us here. sscs incident response * Blog * Webinars * Demo Videos * Events * In the News * Glossary * About Us * Careers * Contact Us Privacy Policy | Cookies All rights reserved ReversingLabs © 2024 * * * * * * ✖ This website uses cookies to ensure the best website experience. By continuing to use this website you are giving your consent to cookies being used. Detailed information about our use of cookies is here. cookie script