December 25, 2024
New Malicious PyPI Packages Caught Using Covert Side-Loading Tactics
Cybersecurity researchers have discovered two malicious packages on the Python Package Index (PyPI) repository that were found leveraging a technique called DLL side-loading to circumvent detection by security software and run malicious code. The packages, named NP6HelperHttptest and NP6HelperHttper, were each downloaded 537 and 166 times, respectively,

Feb 20, 2024NewsroomMalware / Supply Chain Security

Cybersecurity researchers have discovered two malicious packages on the Python Package Index (PyPI) repository that were found leveraging a technique called DLL side-loading to circumvent detection by security software and run malicious code.

The packages, named NP6HelperHttptest and NP6HelperHttper, were each downloaded 537 and 166 times, respectively, before they were taken down.

“The latest discovery is an example of DLL sideloading executed by an open-source package that suggests the scope of software supply chain threats is expanding,” ReversingLabs researcher Petar Kirhmajer said in a report shared with The Hacker News.

The name NP6 is notable as it refers to a legitimate marketing automation solution made by ChapsVision. In particular, the fake packages are typosquats of NP6HelperHttp and NP6HelperConfig, which are helper tools published by one of ChapsVision’s employees to PyPI.

In other words, the goal is to trick developers searching for NP6HelperHttp and NP6HelperConfig into downloading their rogue counterparts.

Contained within the two libraries is a setup.py script that’s designed to download two files, an actual executable from Beijing-based Kingsoft Corporation (“ComServer.exe”) that’s vulnerable to DLL side-loading and the malicious DLL to be side-loaded (“dgdeskband64.dll”).

In side-loading the DLL, the aim is to avoid detection of the malicious code, as observed previously in the case of an npm package called aabquerys that also leveraged the same technique to execute code capable of deploying a remote access trojan.

The DLL, for its part, reaches out to an attacker-controlled domain (“us.archive-ubuntu[.]top”) to fetch a GIF file that, in reality, is a piece of shellcode for a Cobalt Strike Beacon, a post-exploitation toolkit used for red teaming.

There is evidence to suggest that the packages are part of a wider campaign that involves the distribution of similar executables that are susceptible to DLL side-loading.

“Development organizations need to be aware of the threats related to supply chain security and open-source package repositories,” security researcher Karlo Zanki said.

“Even if they are not using open-source package repositories, that doesn’t mean that threat actors won’t abuse them to impersonate companies and their software products and tools.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.