- Take found seven malicious packages on pypi
- The packages abused Gmail and Websocket
- They were removed from the platform
Several malicious pypi plans have recently been observed abusing gmail to exfiltrate stolen sensitive data and communicate with their operators.
Cybersecurity researchers, Socket, who found the packages, reported them to the Python repository and helped remove them from the platform – but the damage has already been caused.
According to Socket, there were seven malicious pypi packages, some of which were seated on the platform for more than four years. Cumulatively, they had more than 55,000 downloads. Most are an imitation of the legitimate coffin packaging, with names like the coffin-codes-pro, the coffin codes, the net2, the net of coffin codes, the coffin-codes-2022, the coffin2022 and the engraving. One was called CFC-BSB.
Compromise accommodation accounts
The researchers explained that once the package installed on the victim system, it connects to Gmail using hard coded identification information and contacts the C2 server.
He then creates a tunnel using websockets, and since the Gmail messaging server is used for communication, communication bypasses most firewalls and other security measures.
Consequently, attackers are able to send commands, steal files, execute code and even access to remote systems.
However, it seems that the crooks are mainly interested in the flight of cryptography, because one of the e-mail addresses of malicious software which held the hand to have the words “blockchain” and “bitcoin” it:
“Coffin-Codes-Pro establishes a connection to the Gmail SMTP server using hard encoded identification, namely Sphacoffin @ Gmail[.]Complery a password, ”says the report.
“He then sends a message to a second email address, Blockchain[.]Bitcoins2020 @ gmail[.]com reporting politely and impatiently that the implant works. »»
Socket warned all Python users running one of the packages of their environment to delete them immediately and run the keys and identification information if necessary.
The researchers also urged everyone to monitor unusual outgoing connections, “in particular SMTP traffic”, and warned them not to trust a package simply because he had a few years.
“To protect your code base, always check the authenticity of the package by checking the number of downloads, the editor’s history and the GitHub repository links,” they added.
“Regular dependence audits help to grab unexpected or malicious packages early. Keep strict access controls on private keys, carefully limiting that can display or import them into development. Use isolated and dedicated environments when you test third -party scripts to contain potentially harmful code. ”
Via Bleeping Compompute
