SBN

Malicious ‘aptX’ Python Package Drops Meterpreter Shell, Deletes ‘netstat’

 

This week we have identified malicious Python packages on the PyPI software registry that carry out a bunch of nefarious activities including:

  • dropping malware
  • deleting the “netstat” utility
  • tampering with the SSH “authorized_keys” file on your system.

Tracked under sonatype-2023-0810 in our data, these malicious PyPI packages are listed below:

  • aptx – 237 downloads*
  • bingchilling2 – 70 downloads*
  • httops – 39 downloads*
  • tkint3rs – 105 downloads*

(*Download stats are provided by pepy.tech and may include downloads initiated by both humans and automated mirrors)

These findings were flagged by Sonatype’s automated malware detection system, offered as a part of Sonatype Repository Firewall. Our security researcher Oscar Prado further analyzed these packages and reported them to PyPI admins given the evidence of malicious activity.

Named tactfully, and mawkishly

Most of these packages had well thought out names, to purposely confuse people. For example, “aptx” is Qualcomm’s highly popular audio codec used by a variety of Bluetooth devices. “Httops” and “tkint3rs” are intentional mispellings (typosquats) of “https” protocol and the “tkinter” Python interface respectively.

As for bingchilling2, you be the judge.

Taking a look inside ‘aptx’ for example, we see a simple ‘setup.py’ manifest file that appears benign, with dummy authorship information:

A screenshot of the 'setup.py' manifest file that contains dummy authorship information.

Obfuscated Meterpreter trojan disguised as “pip”

Scrolling past the blank lines we notice the introduction of suspicious code:

A screen shot of the introduction of the obfuscated Meterpreter trojan disguised as "pip".

The malicious code keeps creating familiar sounding files in the “.pip,” directory. But do not be fooled. This has got nothing to do with the Python development tool “pip.”

Lines 50 and 54 containing a Python “bytes object” in hex are essentially creating a Linux binary (ELF) file which is a Meterpreter trojan generated by the pentesting tool, Metasploit [VirusTotal analysis]. The file is highly stripped and obfuscated which hinders (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Ax Sharma. Read the original post at: https://blog.sonatype.com/malicious-aptx-python-package-drops-meterpreter-shell-deletes-netstat