VMConnect supply chain attack continues, evidence points to North Korea
Contents
In early August, ReversingLabs identified a malicious supply chain campaign that the research team dubbed “VMConnect.” That campaign consisted of two dozen malicious Python packages posted to the Python Package Index (PyPI) open-source repository. The packages mimicked popular open-source Python tools, including vConnector, a wrapper module for pyVmomi VMware vSphere bindings; eth-tester, a collection of tools for testing Ethereum-based applications; and databases, a tool that gives asynchronous support for a range of databases.
The research team has continued monitoring PyPI and now has identified three more malicious Python packages that are believed to be a continuation of the VMConnect campaign: tablediter, request-plus, and requestspro. As happened with the ReversingLabs team's earlier VMConnect research, the team was unable to obtain copies of the Stage 2 malware used in this campaign. However, an analysis of the malicious packages used and their decrypted payloads reveals links to previous campaigns attributed to Labyrinth Chollima, an …
The research team has continued monitoring PyPI and now has identified three more malicious Python packages that are believed to be a continuation of the VMConnect campaign: tablediter, request-plus, and requestspro. As happened with the ReversingLabs team's earlier VMConnect research, the team was unable to obtain copies of the Stage 2 malware used in this campaign. However, an analysis of the malicious packages used and their decrypted payloads reveals links to previous campaigns attributed to Labyrinth Chollima, an …
IoC
049cc8d88a086c8fc69b51d76b6c0c4c2a66fa08
2c72edf29d5bca22525d612c94f1ee323c47be0c
321363f11464208ee24e56a700ad5d26154df4bd
39e9859f0cf85a0c8361e042e8316d4e185d1cfb
45.61.136.133
5e026885bcf4b67993aefa4e992153f6d81c11da
859f5b0af717fca9f890dcba0b87ac63be469033
89c05ecd388c5f168704c5a8e1d37f72a7f0f0f4
9b8eefa1d7ee348c2b1b4c350028df5c2707c3d8
aeeb445216a205abd770546dfa8d03f8b94515a1
b1880340818a1feda156abd272255bcc018f8bef
bbb1e2ac1d243b8db922a23821de570702140145
e063b210b50ca1426da45afa430d87c53b2ef5d2
e3545b2c53c2cb8f012f0badc1bf452badfee341
fdea182ffe7c04c28f28f88ceb9624732bb36bdc
packages-api.test
tableitermanaging.pro
2c72edf29d5bca22525d612c94f1ee323c47be0c
321363f11464208ee24e56a700ad5d26154df4bd
39e9859f0cf85a0c8361e042e8316d4e185d1cfb
45.61.136.133
5e026885bcf4b67993aefa4e992153f6d81c11da
859f5b0af717fca9f890dcba0b87ac63be469033
89c05ecd388c5f168704c5a8e1d37f72a7f0f0f4
9b8eefa1d7ee348c2b1b4c350028df5c2707c3d8
aeeb445216a205abd770546dfa8d03f8b94515a1
b1880340818a1feda156abd272255bcc018f8bef
bbb1e2ac1d243b8db922a23821de570702140145
e063b210b50ca1426da45afa430d87c53b2ef5d2
e3545b2c53c2cb8f012f0badc1bf452badfee341
fdea182ffe7c04c28f28f88ceb9624732bb36bdc
packages-api.test
tableitermanaging.pro