ESET Research has unearthed a series of malicious Python projects circulated via PyPI, the authorised Python (programming language) package repository.
The identified threat seeks out both Windows and Linux systems, primarily deploying a customised backdoor with cyberespionage functionalities. This allows remote command execution, file exfiltration and, sometimes, enables screenshots to be taken.
The final payload often takes the form of a variant of the harmful W4SP Stealer, which targets personal data and credentials, or simply a clipboard monitor designed to steal cryptocurrency. According to ESET, 116 file variants across 53 projects contained malware, downloaded over 10,000 times during the past year.
PyPI is a favoured resource for Python programmers to share and download code. As any individual can contribute, malware can sometimes infiltrate, masquerading as authentic, popular code libraries. However, the majority of downloads are not due to 'typosquatting', but rather come about through social engineering, explained Marc-tienne Lveill from ESET Research, who unearthed and examined these malicious packages.
Many of these packages were already removed from PyPI by the time the research was published. ESET has asked PyPI to address any remaining packages, and currently, all known malicious packages have been disabled.
ESET identified that the threat actors in this campaign have been using a trio of methods to pack malicious code into the Python packages. The initial technique entails the insertion of a minimally disguised code within a test module in the package.
The second involves embedding PowerShell code into a setup.py file, usually automatically run by package managers like pip to assist with Python project installations. For the third technique, the contributors make no attempt to include any legitimate code, meaning only the lightly disguised malicious code remains present.
Typically, the concluding payload is a tailored backdoor that enables remote instruction execution, file extraction, and sometimes the capability to capture screenshots. On Windows, the backdoor is deployed in Python while on Linux, it's implemented using the Go programming language. In some instances, a form of the notorious W4SP Stealer or a basic clipboard monitor for cryptocurrency theft replaces the backdoor or is used in conjunction with it.
Python developers are urged to scrutinise the code they download before installing it on their systems. Lveill warns, "We anticipate that such misuse of PyPI will persist, and advise mindfulness when installing code from any public software repository."
From endpoint and mobile security to endpoint detection and response, as well as encryption and multifactor authentication, ESET's solutions are designed to protect and monitor 24/7, updating defenses in real time to keep users safe and businesses running without interruption.
Evolving threats require an evolving IT security company that enables the safe use of technology. This is backed by ESETs R&D centers worldwide, working in support of the future.