Published on February 21, 2024, 2:13 pm

Title: “Warning Issued As Python Developers Targeted By Malware Via Dll Side-Loading And Typosquatting”

Hackers have recently been observed utilizing a combination of two well-known methods in an attempt to distribute malware to Python developers: DLL side-loading and typosquatting. Research from ReversingLabs has uncovered two suspicious Python packages, NP6HelperHttptest and NP6HelperHttper, on the PyPI repository. Installation of these packages could potentially enable attackers to execute malicious code on vulnerable endpoints.

According to cybersecurity experts, these two packages are actually disguised versions of legitimate tools known as NP6HelperHttp and NP6HelperConfig, developed by employees of ChapsVision for a marketing automation solution. The malicious actors behind this scheme seem to be counting on Python developers searching for these tools but inadvertently selecting the compromised ones. Those who fall into this trap will unwittingly trigger a script that downloads a malicious DLL named dgdeskband64.dll and an executable susceptible to side-loading called ComServer.exe.

During execution, the executable interacts with the DLL, which then communicates with a domain controlled by the hackers and retrieves what appears to be a GIF file. In reality, this file contains shellcode designed for a Cobalt Strike beacon. Experts indicate that these two compromised packages may be part of a more extensive malicious campaign targeting unsuspecting developers.

Karlo Zanki, a security researcher, emphasized the importance for development organizations to stay vigilant about threats related to supply chain security and open-source package repositories. Even if companies do not directly use such repositories, threat actors can still exploit them to impersonate legitimate entities and their software products.

It was found that the malicious packages had been downloaded approximately 700 times before being identified and removed from the repository. This incident underscores the ongoing threat of supply chain attacks through platforms like PyPI. Just recently, researchers issued warnings about over 400 malevolent packages circulating via PyPI, causing data breaches, app compromises, and cryptocurrency thefts. Many of these attacks leverage typosquatting techniques in an effort to deceive users into downloading harmful software packages.


Comments are closed.