Cybersecurity researchers from Check Point Research (CPR) have discovered a new malicious package on PyPI, the code repository for the Python programming language which uses an image to deliver a Trojan malware, largely using GitHub.
The threat actors behind this new campaign hope that while searching the web for legitimate projects, Python developers will, sooner or later, come across ‘apicolor’.
The seemingly benign in-development package on PyPI, once installed, first manually installs extra requirements, and then downloads a picture from the web. The extra requirements process the picture, and trigger the processing generated output using the exec command.
One of those two requirements is the judyb code, that’s in fact a steganography module, capable of revealing hidden messages within pictures. That led the researchers back to the picture which, as it turns out, downloads malicious packages from the web to the victim’s endpoint (opens in new tab).
“The immediate place to investigate such packages is GitHub,” the researchers explain. “Researchers searched for code projects using these packages, enabling the team to further understand their infection techniques (if anyone mistakenly installed them and if they did, how it happened). Using this search, it became apparent that apicolor and judib are quite niche, having low usage on GitHub projects.“
As soon as CPR notified PyPI of its findings, the latter removed the malicious package from its platform.
While the researchers did not find out who the threat actor behind this campaign was, it did say that the whole ordeal was “carefully planned and thought”, further stating that the obfuscation techniques on PyPI have evolved.
“We constantly scan PyPI for malicious packages and responsibly report them to PyPI. This one is unique and distinct from almost all the malicious packages we have encountered before,” commented Quote: Ori Abramovsky, Head of Data Science, SpectralOps, a Check Point company.
“This package differs in the way it camouflages its intent, and the way in which it targets PyPI users to infect them with malicious imports on GitHub. Our findings indicate that PyPI malicious packages and their obfuscation techniques are fast-evolving. The package we have shared here reflects careful and meticulous work. It is not the regular copy and past that we commonly see, but what seems like a real campaign. The creation of the GitHub projects, then smartly hiding the code and downplaying the packages on PyPI, are all sophisticated work.”