Lazarus uploading malware to open-source PyPl software repository
Supply chain attack leaves developers in Asia at particular risk
Japan's Computer Security Incident Response Team (JPCERT/CC) has issued a warning to developers worldwide following the discovery of four malicious PyPI packages uploaded by the notorious North Korean hacking group, Lazarus.
The packages, designed to infiltrate developers' systems with malware, have already compromised thousands of systems, raising concerns about cybersecurity vulnerabilities within the Python community.
PyPI (Python Package Index) is a repository of open-source software packages widely used by developers.
According to JPCERT, Lazarus recently attempted to infiltrate unsuspecting developers' projects by disguising their malware as legitimate Python packages.
The four nefarious packages identified by JPCERT/CC are as follows:
• pycryptoenv
• pycryptoconf
• quasarlib
• swapmempool
These names are shrewdly crafted to resemble legitimate Python packages, such as the widely-used 'pycrypto' project.
Although promptly removed from PyPI, these packages had already been downloaded over 3,000 times, highlighting the extent of the compromise.
Each of these packages contains a 'test.py' file, which, rather than being a genuine Python script, is an XOR-encoded DLL file executed by the 'init.py' file. Upon execution, the malware decodes and generates additional DLL files, masquerading as innocuous database files.
The ultimate payload, named "Comebacker," is executed in memory, connecting the infected systems to the hacker's command and control (C2) server.
The Comebacker malware, previously identified by Google analysts in January 2021, is notorious for its malicious intent. It establishes a connection with the C2 server, facilitating the transmission of encoded strings via HTTP POST requests and enabling the loading of further Windows malware into the compromised systems.
Lazarus, with its extensive history of cyberattacks, has primarily targeted corporate networks to perpetrate financial fraud, particularly in the realm of cryptocurrency.
GitHub issued a warning last July, signalling Lazarus' targeted efforts towards developers within the cryptocurrency, blockchain, online gambling, and cybersecurity sectors, using malicious repositories to ensnare unsuspecting victims.
JPCERT/CC advises developers to exercise caution when sourcing packages from PyPI and recommends thorough vetting of all dependencies to mitigate the risk of future cyberattacks.
Dale Gardner, a senior director and analyst at Gartner, described the attack as a classic example of typosquatting, where developers are lured into downloading packages containing malicious code.
"These types of attacks are growing rapidly — the Sonatype 2023 open source report revealed 245,000 such packages were discovered in 2023, which was twice the number of packages discovered, combined, since 2019," Gardner said.
While PyPI's reach extends globally, experts warn that developers in Asia, in particular, may be disproportionately affected.
Taimur Ijlal, an information security leader at Netify, lists potential language barriers and limited access to security information as some factors contributing to heightened vulnerability among Asian developers.
With small and startup software firms in Asia often operating on limited security budgets, the challenge of defending against sophisticated threat actors like Lazarus becomes even more daunting.
Limited budgets mean "weaker processes, tools, and incident response capabilities" making "infiltration and persistence more attainable goals for sophisticated threat actors," said Jed Macosko, a research director at Academic Influence.
Although developers can implement measures to reduce exposure, the primary responsibility lies with platform providers such as PyPI to thwart abuse, Kelly Indah, a tech expert and security analyst at Increditools, suggests.
She asserts that developer teams worldwide depend on the reliability and security of core repositories, and incidents like Lazarus attack on PyPl erodes this trust.
"But through enhanced vigilance and a coordinated response from developers, project leaders, and platform providers, we can work together to restore integrity and confidence," Indah adds.