Unmasking the recent malicious Python-focused malware attack presents a riveting tale of deception, manipulation, and abuse of trust within the software supply chain. The Checkmarx Research team unearthed an operation affecting over 170k users and numerous organizations, including the renowned Top.gg GitHub group. A series of tactics, techniques and procedures were skillfully executed, from account takeover via stolen browser cookies to publishing harmful packages to the PyPi registry. This meticulously planned cyber attack involved the creation of misleading open-source tools, exploitation of popular GitHub projects, social engineering, and the distribution of damaging dependencies hosted on a contrived Python environment. Victims unknowingly downloaded and ran these dangerous packages –featuring prominently on search engine results–disguised as legitimate Python tools, threatening their security—even their cryptocurrency wallets—and defrauding users of the trust in the Python package ecosystem.
Overview
In the contemporary digital space, cyber threats have become more rampant. This article explores an attack that specially targeted the software supply chain, affecting countless unsuspecting users. These attacks are not only unique in their methods but also remarkably sophisticated, leveraging a variety of Tactics, Techniques and Procedures (TTPs), hostile open-source tools, and even manipulating long-standing trust in the Python ecosystem to propagate the attack.
Attack on the Software Supply Chain
Discovery of the attack
An exceptional team of cybersecurity researchers at Checkmarx discovered the intrusive cyberattack. Their expert sleuthing unveiled a well-organized offensive against the software supply chain, impacting numerous unknowing users and organizations.
Victims of the attack
Among the victims of this meticulously planned attack included over 170,000 individual users and several organizations, such as Top.gg GitHub, which was severely compromised. These victims stand as a testament to the far-reaching capabilities of this attack.
Tactics, Techniques, and Procedures (TTPs)
Account takeover via stolen browser cookies
A major tactic the attackers employed was account takeover, which they accomplished by stealing browser cookies. This let them sneak into the users’ accounts undetected, getting access to sensitive data and information.
Contributing malicious code with verified commits
Further, they used verified commits to contribute malicious code to various platforms. Masking their harmful code as legitimate, the threat actors were able to bypass security measures and put in place the building blocks of their attack.
Setting up a fake Python mirror
The perpetrators went ahead to devise a fake Python mirror. The deceitful mirror played a pivotal role in the propagation of the attack by serving as an effective tool for distributing malicious code.
Publishing malicious packages to the PyPi registry
To complete their elaborate procedures, the threat actors went ahead to publish malicious packages directly into the PyPi registry, effortlessly infiltrating the Python ecosystem.
Creation of Malicious Open-Source Tools
Clickbait descriptions to trick victims
The attackers also crafted numerous malicious open-source tools. Using clickbait descriptions, they managed to attract users and trick them into falling prey to their manipulation.
Luring victims from search engines
Most victims came from search engines, indicating the attackers’ clever use of SEO and manipulation tactics to coerce users to their booby-trapped platforms.
Distribution of Malicious Dependency
Hosted on a fake Python infrastructure
The malicious dependency was hosted on a well-orchestrated fake Python infrastructure. Through this, the attackers carried out the distribution process, sparing no effort to achieve their malicious objectives.
Linking to popular GitHub projects
They cleverly linked the malicious dependency to various popular GitHub projects. This expanded the reach of their malicious code and affected more users who interacted with these projects.
Linking to legitimate Python packages
Going a step further, the threat actors linked their malicious dependency to legitimate Python packages. This manipulation made the detection of harmful code harder and the victims more susceptible to the attack.
GitHub Account Takeover
Publication of malicious Python packages
In their elaborate scheme, the attackers also seized several GitHub accounts. They used these accounts to further publish malicious Python packages and spread their hostile code across the platform.
Utilization of social engineering schemes
Social engineering schemes played a significant role in this cyber offensive. By exploiting the trust and unsuspecting nature of the users, the threat actors managed to extend the reach and impacts of their attack.
Multi-Stage and Evasive Payload
Stealing passwords and credentials
The malicious payload was not only multi-stage but also evasive. It had the capacity to steal passwords and credentials from infected systems, enabling attackers to gain unauthorized access to an array of sensitive information.
Transmitting data to attackers’ infrastructure
After the initial successful breach, the captured data was transmitted back to the attackers’ infrastructure. The collected data well served their malicious intents, leaving the victims exposed and at severe risk.
Deployment of Fake Python Package Mirror
Poisoned copy of popular package ‘colorama’
In an ingenious move, the attackers deployed a fake Python package mirror that included a poisoned copy of a beloved package—’colorama.’ As a result, users unknowingly downloaded and interacted with the compromised package.
Impact of Malware Campaign
Spread through malicious GitHub repositories
The malware campaign had a significant impact on the entire Python ecosystem. It leached and spread through several malicious GitHub repositories, proving the sophistication and capabilities of the attackers.
Spread through Python packages like ‘yocolor’
The malware didn’t stop at repositories. It also spread through common Python packages like ‘yocolor,’ revealing just how cunning and resourceful these threat actors were in maximizing the damage of the attack.
Final Stage of Malware
Stealing sensitive information from software applications
The final stage of malware was the most devastating. It managed to steal a broad range of sensitive information directly from software applications, causing more harm than any common cyber threats.
Targeting browser data, Discord data, and cryptocurrency wallets
Specifically, the malware targeted user browser data, Discord data, and even cryptocurrency wallets. With such an assault, the exploits of this attack underline the urgent need for more robust cybersecurity measures to mitigate such future threats.
