Business

North Korea’s Hacker Group Deploys Malicious Version of Python Package in PyPI Repository

Published

8 months ago

September 1, 2023

ReversingLabs spotted “VMConnect” in early August, a malicious supply chain campaign with two dozen rogue Python packages on PyPI.

It’s been observed that these packages mimicked the following known open-source Python tools:-

vConnector
eth-tester
Databases

Cybersecurity researchers at ReversingLabs recently identified that a North Korean hacker group is actively deploying malicious versions of Python Packages in the PyPI repository.

The security analysts analyzed all the malicious packages, and after successfully decrypting the malicious packages, they linked their roots to Labyrinth Chollima, a branch of the renowned North Korean state-sponsored group Lazarus.

Recent years witnessed malicious actors imitating open-source packages, using tactics like typosquatting to trick busy developers into installing malware.

Malicious packages

Here below, we have mentioned all the malicious packages that the security experts identified:-

tablediter (736 downloads)
request-plus (43 downloads)
requestspro (341 downloads)

The first of the three new packages pretends to be a table editing tool, while the others imitate the ‘requests’ Python library, adding ‘plus’ and ‘pro’ to seem like enhanced legitimate versions.

Malicious Python Package in PyPI Repository

The malicious actors used evasion tactics like typosquatting and mimicked the ‘requests’ package, copying its description and files without any additions.

The malicious packages in the “__init__.py” file were only altered and modified to launch a thread executing a function from the “cookies.py” file after the addition of a few lines of code.

The cookies.py file was altered with malicious functions to gather machine data, sending it via POST to a C2 server URL. It then retrieves a token via a GET HTTP request to another C2 server URL.

The infected host receives a double-encrypted Python module with execution parameters, decoding it and downloading the next malware stage from a provided URL.

Similar to the previous VMConnect campaign, the C2 server waited for suitable targets, withholding additional commands, making campaign assessment challenging.

While investigating VMConnect, ReversingLabs aimed to connect it with other malware campaigns, uncovering hints linking it to Lazarus Group, a North Korean APT group.

Further investigation found the py_QRcode package mentioned in a July 2023 JPCERT report (https://blogs.jpcert.or.jp/en/2023/07/dangerouspassword_dev.html), but it was never on PyPI. This raises questions about how the malware reached victims despite being tied to this package.

Code similarities between VMConnect and JPCERT/CC findings link both to the Lazarus Group, confirming North Korean state sponsorship.