- ReversingLabs exposes the VMConnect campaign, revealing North Korean hackers’ use of deceptive Python packages in PyPI.
- Malicious Python package, tablediter, evades detection by delaying its malicious activities, marking an advancement in cyber threat tactics in North korean hackers.
ReversingLabs, a cybersecurity company, has recently uncovered three rogue Python packages in the PyPI (Python Package Index) repository, shedding light on an ongoing malicious software supply chain campaign called VMConnect. This campaign is believed to involve state-sponsored threat actors from North Korea.
Deceptive Tactics: Impersonation of Trustworthy Packages
The newly discovered packages are named tablediter, request-plus, and requestspro. VMConnect is a deceptive scheme that revolves around Python packages mimicking popular open-source Python tools. These packages are designed to download a mysterious second-stage malware.
What sets these malicious packages apart is the use of typosquatting techniques to impersonate legitimate packages like prettytable and requests. This tactic is intended to deceive developers and make the packages appear trustworthy.
- Among the three packages, tablediter stands out for its deceptive behavior. It employs an endless execution loop to periodically poll a remote server, fetching and executing a Base64-encoded payload.
- The exact nature of this payload remains undisclosed. Notably, tablediter no longer triggers malicious code immediately upon installation to avoid detection by security software.
- Instead, it waits until the compromised application imports the designated package and calls its functions, evading behavior-based detection.
- The other two packages, request-plus and requestspro, have the capability to gather information from the infected system and transmit it to a command-and-control (C2) server.
- Following this, the server responds with a token, which the infected host sends to a different URL on the same C2 server.
- In return, it receives a double-encoded Python module and a download URL, suspected to be the next stage of the malware.
This discovery highlights the evolving tactics of cyber threat actors, particularly in the context of supply chain attacks. By impersonating trusted Python packages and delaying malicious activities, these actors aim to make detection and defense more challenging for cybersecurity professionals. Vigilance and security measures within the software supply chain are crucial to thwart such threats.
1. What are the names of the recently discovered malicious Python packages?
The packages are tablediter, request-plus, and requestspro.
2. What is the VMConnect campaign?
VMConnect is a malicious software supply chain campaign involving rogue Python packages found in the PyPI repository, associated with North Korean state-sponsored threat actors.
3. What is the purpose of request-plus and requestspro?
These packages collect information from infected systems and transmit it to a command-and-control server, part of the malware’s data-gathering operation.