Novel ELF64 Remote Access Tool Embedded in Malicious PyPI Uploads
Contents
· threat intelligence · 8 min read
Novel ELF64 Remote Access Tool Embedded in Malicious PyPI Uploads
Analyzing a Linux-targeted malware campaign on the Python Package Index.
Introduction
On 19 February, Vipyr Security scanning services notified us of a malicious upload to the Python Package Index (PyPI) by
the name
real-ids. This Python package, and subsequent uploads attributed to the same threat actor, contains ‘remote
access tool’ capabilities— that is, remote code execution, remote file upload and download, and a beaconing service to
an HTTPS-based C2.
Malicious Packages:
|Package||Upload Time (UTC)|
|[email protected]||2024-02-19T13:47Z|
|[email protected]||2024-02-19T13:52Z|
|[email protected]||2024-02-20T01:43Z|
|[email protected]||2024-02-20T02:24Z|
|[email protected]||2024-02-20T02:30Z|
|[email protected]||2024-02-20T07:27Z (Benign)|
|[email protected]||2024-02-20T08:55Z|
|[email protected]||2024-02-20T11:17Z|
|[email protected]||2024-02-21T12:51Z (Benign)|
|[email protected]||2024-02-28T12:43Z|
Analysis
Staging
The malicious payload is placed in
os.py files within typos of popular packages. During the initialization of these
packages, this
os module is imported, executing the payload. Payload occurs in a string of multiple base64
or hex encoding, although base64 was only observed in
[email protected]. The threat actors’ obfuscation technique is
fairly novice compared to others, as they don’t make any attempt to …
Novel ELF64 Remote Access Tool Embedded in Malicious PyPI Uploads
Analyzing a Linux-targeted malware campaign on the Python Package Index.
Introduction
On 19 February, Vipyr Security scanning services notified us of a malicious upload to the Python Package Index (PyPI) by
the name
real-ids. This Python package, and subsequent uploads attributed to the same threat actor, contains ‘remote
access tool’ capabilities— that is, remote code execution, remote file upload and download, and a beaconing service to
an HTTPS-based C2.
Malicious Packages:
|Package||Upload Time (UTC)|
|[email protected]||2024-02-19T13:47Z|
|[email protected]||2024-02-19T13:52Z|
|[email protected]||2024-02-20T01:43Z|
|[email protected]||2024-02-20T02:24Z|
|[email protected]||2024-02-20T02:30Z|
|[email protected]||2024-02-20T07:27Z (Benign)|
|[email protected]||2024-02-20T08:55Z|
|[email protected]||2024-02-20T11:17Z|
|[email protected]||2024-02-21T12:51Z (Benign)|
|[email protected]||2024-02-28T12:43Z|
Analysis
Staging
The malicious payload is placed in
os.py files within typos of popular packages. During the initialization of these
packages, this
os module is imported, executing the payload. Payload occurs in a string of multiple base64
or hex encoding, although base64 was only observed in
[email protected]. The threat actors’ obfuscation technique is
fairly novice compared to others, as they don’t make any attempt to …
IoC
33c9a47debdb07824c6c51e13740bdfe
973f7939ea03fd2c9663dafc21bb968f56ed1b9a56b0284acf73c3ee141c053c
http://arcashop.org
http://jdkgradle.com
http://pypi.online
https://arcashop.org/boards.php?type=
https://jdkgradle.com/jdk/update/check
https://pypi.online/cloud.php?type=
973f7939ea03fd2c9663dafc21bb968f56ed1b9a56b0284acf73c3ee141c053c
http://arcashop.org
http://jdkgradle.com
http://pypi.online
https://arcashop.org/boards.php?type=
https://jdkgradle.com/jdk/update/check
https://pypi.online/cloud.php?type=