New malicious PyPl can slither onto your device using sneaky tactics

DLL side-loading and typosquatting is now a thing on Python

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Hackers have been spotted combining two known methods to try and delivermalwareto Python developers: DLL side-loading, and typosquatting.

Cybersecurity researchers from ReversingLabs recently spotted two Python packages on the PyPI repository, called NP6HelperHttptest and NP6HelperHttper which if installed, could grant the attackers the ability to run malicious code on the vulnerable endpoints.

The Hacker Newssays these two are actually typosquatted versions of NP6HelperHttp and NP6HelperConfig, helper tools for a marketing automation solution published by employees of ChapsVision.

Deploying Cobalt Strike beacons

Deploying Cobalt Strike beacons

Obviously whoever built these malicious packages was betting onPythondevelopers searching for these tools and accidentally picking the wrong ones. Those that make that mistake will get a setup.py script, which downloads two files: a malicious DLL to be side-loaded - dgdeskband64.dll, and an executable vulnerable to side-loading - ComServer.exe.

In the process, the executable calls on the DLL, which reaches out to a domain under the attackers’ control, and grabs a GIF. That file is actually shellcode for a Cobalt Strike beacon. The researchers believe these two packages are part of a bigger malicious campaign.

“Development organizations need to be aware of the threats related to supply chain security and open-source package repositories,” security researcher Karlo Zanki said. “Even if they are not using open-source package repositories, that doesn’t mean that threat actors won’t abuse them to impersonate companies and their software products and tools.”

In total, the two packages were downloaded around 700 times before they were spotted and removed from the repository.

Are you a pro? Subscribe to our newsletter

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Supply chain attacks through PyPI are nothing new. Just a week ago, researchers from Phylum warned of more than 400 malicious packages being spread through PyPI, exfiltrating people’s data, compromising applications, and stealing cryptocurrencies. Most of the attackers deploy the typosquatting technique, trying to trick people into downloading a malicious package.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

NYT Strands today — hints, answers and spangram for Sunday, November 10 (game #252)