New Malicious PyPI Packages used by Lazarus
Contents
New Malicious PyPI Packages used by Lazarus
JPCERT/CC has confirmed that Lazarus has released malicious Python packages to PyPI, the official Python package repository (Figure 1). The Python packages confirmed this time are as follows:
- pycryptoenv
- pycryptoconf
- quasarlib
- swapmempool
The package names
pycryptoenv and
pycryptoconf are similar to
pycrypto, which is a Python package used for encryption algorithms in Python. Therefore, the attacker probably prepared the malware-containing malicious packages to target users' typos in installing Python packages.
This article provides details on these malicious Python packages.
File structure of the malicious Python packages
Since the multiple malicious Python packages confirmed this time have almost the same file structure, this article uses
pycryptoenv as an example in the following sections. The malicious Python package has the file structure shown in Figure 2. The main body of the malware is a file named
test.py. This file itself is not Python but binary data, which is an encoded DLL file.
The code to decode …
JPCERT/CC has confirmed that Lazarus has released malicious Python packages to PyPI, the official Python package repository (Figure 1). The Python packages confirmed this time are as follows:
- pycryptoenv
- pycryptoconf
- quasarlib
- swapmempool
The package names
pycryptoenv and
pycryptoconf are similar to
pycrypto, which is a Python package used for encryption algorithms in Python. Therefore, the attacker probably prepared the malware-containing malicious packages to target users' typos in installing Python packages.
This article provides details on these malicious Python packages.
File structure of the malicious Python packages
Since the multiple malicious Python packages confirmed this time have almost the same file structure, this article uses
pycryptoenv as an example in the following sections. The malicious Python package has the file structure shown in Figure 2. The main body of the malware is a file named
test.py. This file itself is not Python but binary data, which is an encoded DLL file.
The code to decode …
IoC
01c5836655c6a4212676c78ec96c0ac6b778a411e61a2da1f545eba8f784e980
173e6bc33efc7a03da06bf5f8686a89bbed54b6fc8a4263035b7950ed3886179
26437bc68133c2ca09bb56bc011dd1b713f8ee40a2acc2488b102dd037641c6e
3ab6e6fc888e4df602eff1c5bc24f3e976215d1e4a58f963834e5b225a3821f5
60c080a29f58cf861f5e7c7fc5e5bddc7e63dd1db0badc06729d91f65957e9ce
63fb47c3b4693409ebadf8a5179141af5cf45a46d1e98e5f763ca0d7d64fb17c
6bba8f488c23a0e0f753ac21cd83ddeac5c4d14b70d4426d7cdeebdf813a1094
85c3a2b185f882abd2cc40df5a1a341962bc4616bc78a344768e4de1d5236ab7
8fb6d8a5013bd3a36c605031e86fd1f6bb7c3fdba722e58ee2f4769a820b86b0
91.206.178.125
956d2ed558e3c6e447e3d4424d6b14e81f74b63762238e84069f9a7610aa2531
a4e4618b358c92e04fe6b7f94a114870c941be5e323735a2e5cd195138327f8f
a8a5411f3696b276aee37eee0d9bed99774910a74342bbd638578a315b65e6a6
aec915753612bb003330ce7ffc67cfa9d7e3c12310f0ecfd0b7e50abf427989a
b4a04b450bb7cae5ea578e79ae9d0f203711c18c3f3a6de9900d2bdfaa4e7f67
c56c94e21913b2df4be293001da84c3bb20badf823ccf5b6a396f5f49df5efff
e05142f8375070d1ea25ed3a31404ca37b4e1ac88c26832682d8d2f9f4f6d0ae
http://91.206.178.125/upload/upload.asp
https://blockchain-newtech.com/download/download.asp
https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/
https://blog.phylum.io/crypto-themed-npm-packages-found-delivering-stealthy-malware/
https://chaingrown.com/manage/manage.asp
https://fasttet.com/user/agency.asp
173e6bc33efc7a03da06bf5f8686a89bbed54b6fc8a4263035b7950ed3886179
26437bc68133c2ca09bb56bc011dd1b713f8ee40a2acc2488b102dd037641c6e
3ab6e6fc888e4df602eff1c5bc24f3e976215d1e4a58f963834e5b225a3821f5
60c080a29f58cf861f5e7c7fc5e5bddc7e63dd1db0badc06729d91f65957e9ce
63fb47c3b4693409ebadf8a5179141af5cf45a46d1e98e5f763ca0d7d64fb17c
6bba8f488c23a0e0f753ac21cd83ddeac5c4d14b70d4426d7cdeebdf813a1094
85c3a2b185f882abd2cc40df5a1a341962bc4616bc78a344768e4de1d5236ab7
8fb6d8a5013bd3a36c605031e86fd1f6bb7c3fdba722e58ee2f4769a820b86b0
91.206.178.125
956d2ed558e3c6e447e3d4424d6b14e81f74b63762238e84069f9a7610aa2531
a4e4618b358c92e04fe6b7f94a114870c941be5e323735a2e5cd195138327f8f
a8a5411f3696b276aee37eee0d9bed99774910a74342bbd638578a315b65e6a6
aec915753612bb003330ce7ffc67cfa9d7e3c12310f0ecfd0b7e50abf427989a
b4a04b450bb7cae5ea578e79ae9d0f203711c18c3f3a6de9900d2bdfaa4e7f67
c56c94e21913b2df4be293001da84c3bb20badf823ccf5b6a396f5f49df5efff
e05142f8375070d1ea25ed3a31404ca37b4e1ac88c26832682d8d2f9f4f6d0ae
http://91.206.178.125/upload/upload.asp
https://blockchain-newtech.com/download/download.asp
https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/
https://blog.phylum.io/crypto-themed-npm-packages-found-delivering-stealthy-malware/
https://chaingrown.com/manage/manage.asp
https://fasttet.com/user/agency.asp