Security Bloggers Network Vulnerabilities

Home » Cybersecurity » Threats & Breaches » Vulnerabilities » Ransomware in PyPI: Sonatype Spots ‘Requests’ Typosquats

Ransomware in PyPI: Sonatype Spots ‘Requests’ Typosquats

by Ax Sharma on August 2, 2022

Sonatype has identified multiple malicious Python packages that contain ransomware scripts. These packages are named after a legitimate, widely known library called ‘Requests.’

While incidences of malware infiltrating open source repositories are hardly surprising, as we’ve repeatedly seen, it’s not often we come across open source packages dropping ransomware. Last we saw this was in 2021 when we spotted npm typosquats launching MBRLocker ransomware.

Type Your Requests Carefully

Sonatype’s automated malware detection system, an integral part of our Nexus Firewall offering, has detected the following malicious PyPI packages. These packages contain ransomware scripts, and have been assigned sonatype-2022-4350 in our security research data.

requesys
requesrs
requesr

This means any developer who intends to install or include the ‘requests’ library in their package but inadvertently mistypes its spelling could instead end up with one of these malicious packages and get infected with ransomware.

These packages were analyzed by my colleague and Senior Security Researcher, Ankita Lamba.

Particularly, all versions of the ‘requesys’ package contain scripts that traverse a Windows user’s folders, such as “Documents,” “Downloads,” “Pictures,” and begin encrypting files.

Versions 1.0-1.4 of ‘requesys’ contain the encryption and decryption code laid out in plaintext Python. But, version 1.5 packs a base64-obfuscated EXEcutable (analyzed in the subsequent section) that makes analysis a tad more challenging.

The program uses Python’s ‘Fernet‘ module of the cryptography package to achieve symmetric key encryption. Fernet is also used to randomly generate the encryption key (line 29 below) which is also used for decryption by the victim.

Should the program run successfully, a popup message would appear on the user’s screen, further instructing them to contact the package author b8ff aka “OHR (Only Hope Remains)” via their Discord server:

“IF YOU CLOSE THIS WINDOW YOUR FILES WILL BE ENCRYPTED FOREVER

Ooops… Your files are (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Ax Sharma. Read the original post at: https://blog.sonatype.com/ransomware-in-a-pypi-sonatype-spots-requests-typosquat

August 2, 2022August 2, 2022 Ax Sharma DevZone, FEATURED, malware prevention, Nexus Firewall, PyPI, Vulnerabilities

Ransomware in PyPI: Sonatype Spots ‘Requests’ Typosquats

Type Your Requests Carefully

Senator Sanders Wants to Own AI Companies — and Hand America’s Adversaries the Keys

NIST’s Nine: The PQC Signature Race Moves to Round Three

The Quantum Arms Race: Why Washington Just Wrote a $2 Billion Check to Nine Companies

Beyond Moore’s Law: The Hyper-Acceleration of Autonomous AI Cyber Capabilities

The Exception Economy: When Security Teams Stop Protecting and Start Negotiating

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

C2A Security’s EVSec Risk Management and Automation Platform Gains Traction in Automotive Industry as Companies Seek to Efficiently Meet Regulatory Requirements

Zama Raises $73M in Series A Lead by Multicoin Capital and Protocol Labs to Commercialize Fully Homomorphic Encryption

RSM US Deploys Stellar Cyber Open XDR Platform to Secure Clients

ThreatHunter.ai Halts Hundreds of Attacks in the past 48 hours: Combating Ransomware and Nation-State Cyber Threats Head-On

Fortinet® Follies