This Week in Malware—Malicious ‘Distutil’ and Spring4Shell active exploitation

by Ax Sharma on April 22, 2022

This week in malware we have a lot to go over. A mysterious ‘Distutil’ Python library found on the PyPI repository, active Spring4Shell exploitation by threat actors deploying crypto-miners, ProxyShell exploits targeting Microsoft Exchange servers, an open source utility claiming to add Google Play store to PCs but containing obfuscated malware, ongoing dependency confusion attempts, and last but not the least, the GitHub OAuth tokens compromise, that impacted a dozen organizations including npm.

1. Meet ‘Distutil’, not the distutils you know

In October 2021, a mysterious ‘distutil’ package was published to the Python Package Index (PyPI) registry. As of today, the package has been retrieved over 2,000 times via user-initiated downloads and automated mirrors.

The name might ring a bell as ‘distutils‘ is a now-deprecated Python library that provided support for building and installing additional modules into a Python installation. ‘Distutil’ on the other hand is, what looks like a typosquatting attempt.

Sponsorships Available

To be fair, the package’s homepage does indicate “don’t download this,” and the code inside the package implies this is part of a pen-testing activity or similar research.

The ‘setup.py’ file within the ‘Distutil’ typosquat executes base64-encoded code:

As shown below, the code establishes a socket connection to a local IP address (perhaps a WiFi router or similar device) on port 4444—which is commonly used by Metasploit/Meterpreter exploits, further indicating this relates to pen-testing activity (likely, ethical research).

The package was brought to our attention by Uwe Maurer, Enterprise Architect at EnBW. Further research by Sonatype security researcher Juan Aguirre confirmed the package is indeed malicious and after our report to PyPI, ‘distutil’ was taken down.

‘The ‘distutil’ package has assigned the sonatype-2022-2374 identifier within our security research catalog.