Sonatype is a foreign company that provides vulnerability finding and repair software. Their most famous product is called Nexus, which is a private server of Maven. Not long ago, Sonatype discovered that multiple open source software repositories have been infiltrated by a surge of suspicious malicious packages since February, and have continued to spread recently.
This week, we found 130 mistyped packages in npm and 12 malicious packages in the PyPI repository via Sonatype's automated malware detection system (part of the Nexus Firewall). The timing of these attacks is quite interesting — at a time when the world was focusing on the Russia-Ukraine crisis and governments were urging organizations to step up their cybersecurity efforts in response to related malicious cyber incidents.
With most professionals focused on ongoing development, threat actors may take the opportunity to update their old tactics — from exploiting malicious phishing domains to infiltrate open source software repos to exploiting dependency obfuscation attacks that won't go away .
-
New malicious PyPI package
First, it's been a busy week for members of the security research team. My fellow researchers Ankita Lamba and Juan Aguirre have been tirelessly tracking suspicious activity on hundreds of fake packages on the npm and PyPI registries, and responsibly reporting these findings to the repo maintainers.
Collored 与 colored
While the official colored is a "simple library for terminal colors and formatting," the malicious phishing domain "collored" identified by Sonatype this week launches a malicious executable on infected machines.
However, "collored" does not package the executable into a package, but instead makes the website request to the encoded rentry[.]co link:
Instead of packing the executable within the package, however, "collored" makes an HTTP request to a hardcoded rentry[.]co link:
The rentry[. ]co URL provided an inconsistent webhook address to a suspicious executable: srv.exe, which was judged malicious by multiple antivirus engines on VirusTotal when we submitted it.
In our safety research data, "collored" is tracked as sonatype-2022-1141.
Meaning of naming: What's in a name?
Additionally, we dig into a rather cryptically named package: huehuehuehue is a rather odd package with no known use in the vulnerability data track for sonattype-2022-1142. An attacker can connect to it, and it contains a base64 string that starts a bind shell on your system that an attacker can connect to.
The decoded code is as follows:
Welcome back, the fake "proxy connector"
The "aiohttp-socks4" PyPI package attempts to restart the trojanized package "aiohttp-socks5" that we discovered and analyzed last week. Although the PyPI admins quickly removed the malicious package based on emails we sent them, the threat actors behind the malicious package appear to be insisting on releasing a second version.
These packages bill themselves as "proxy connectors" to the popular Python asynchronous server AIOHTTP, with nearly 10 million downloads per week:
In fact, both packages contain malicious executables packed into large base64 strings. These executables are Remote Access Trojans (RATs) that provide attackers with advanced monitoring and remote control of infected systems.
In our vulnerability data, these two packages are tracked as sonatype-2022-1153 and sonatype-2022-1044.
Inside aiohttp-socks4, the beginning of the manifest file (setup.py) contains the base64-encoded executable, which is a newer version of the trojan (not seen on VirusTotal until we reported it), and the Python code connects to the same C2 Our previous report can be seen after the server (144.24.115[.]170).
As explained in previous reports, the C2 server receives based on fingerprint information, and if the malware is being run for the first time on the infected machine (the "first_run" field is displayed), the server sends further instructions (base64 encoded payload) to the victim. executed on an infected system.
request.request 与 requests
Next is the "request.request" package that imitates the official request package and is tracked as sonatype-2022-1281. If you read its description, you will think it is a low-level PoC package.
The first version of the package simply opened the calculator application on Windows and macOS operating systems. In order to prevent the spread of subsequent high-profile malicious versions of the package, we promptly notified the PyPI security team and ordered them to delete the package:
Azure fake Azure typosquats
Additionally, we found 8 PyPI packages that target Azure developers and environments through dependency obfuscation:
-
sdk-cli-v2
-
sdk-cli-v2-public
-
azureml-contrib-optimization
-
azure-cli-ml-private-preview
-
aml-ds-pipeline-contrib
-
azure-cli-ml-preview
-
azureml-contrib-reports
-
azureml-contrib-jupyterrun
These packages are tracked as sonatype-2022-1143 in our data .
-
npm flooded with 130 fake domains, Discord stealers
As the largest Node.JS registry, npm also suffered an influx of over 100 unwanted packages, including Discord stealers and phishing domains.
Tracked as sonatype-2022-1140 in our security research data, these 130 spoofed domains were published on npm by the same author, and contain obfuscated code for dependencies that we often see.
Each of these 130 phishing domains (named after popular brands, websites, and projects) contains the same code used to extract basic fingerprint information (your username, hostname, IP address, operating system information, etc.) from your The system leaked to the maintainer's server:
Additionally, we have seen multiple Discord token stealers on npm named alprazolamdiv, discord.js-selfbot-v32, discord.js-selfbot-cloner, and discord.js-selfbot-v7. All such stealers are tracked under sonatype-2022-1145:
-
Like the unfolding crisis in the world wars, open source attacks are proliferating
The current discovery follows the discovery of a newly developed suspicious jquery-lh library on npm, a malicious Roblox cookie and Discord token stealer attacking PyPI, and an attack campaign that overwhelmed PyPI with over 1,200 reliant obfuscated packages identified by Sonatype.
Given that all of these events happened within a very short period of time, as well as the spam attacks on the three main repos npm, PyPI, and NuGet in February, we have no reason to believe that such attacks against the open source ecosystem will take place in the near future. slow speed.
Author | Axe Sharma
Time | March 3, 2022
Translation | Wang Yao
Proofreading | Du Junping