This, to many of you, ain’t a news. But in the latest years typosquatting around the various open source package manager is gaining a wild popularity with a lot of threat actor that are exploiting this thing.

Typosquatting.

By definition is a cyber attack in which an attacker registers a domain name (or in this case a package name) that has a slight variation of a legitimate domain (or package).

In the last week alone something like 27 malicious packages have found their way into the developers laptop.

According to Checkmarx the majority of the download came from: USA, France, China, Germany, Hong Kong, Russia, Ireland, UK, Japan and few others (fuck, im listing the world!)

Where to find it ?

According to the latest research done, the main part of the malicious code is to be found embedded into setup.py file Useless to say that is gonna be obfuscated, but you can easily recognize this because it share almost the same structure with other malware payload find around

Why ?

Well, the reason for stuff like are always the same.

  • Data Stealing
  • Steal Credit/Debit Card info
  • Identity theft
  • Frauds
  • Can’t think for other stuff….

Innovations

Reported as “something new” is that the various malware injected into those packages are using steganography to include important informations or commands into a picture (usually name uwu.png)

Activity

Checkmarx reported:

Method of operation was as follows: 

  • User Identification: The scripts began by verifying the username of the logged-in user. 
  • Directory Verification and Creation: They checked for a particular directory named “System64” within the user’s Start Menu Programs path. If nonexistent, the script created it. 
  • File Placement and Execution: The scripts then deployed VBScript and batch files that downloaded and executed a file named “Runtime.exe”, ensuring its persistence on the system by placing it in the system’s Startup folder. 
  • Stealth and Cleanup: Post-execution, the scripts cleared their tracks by deleting the evidence of their presenc
Checkmarx

The most common

Thank you Checkmarx for this table

Indicator Of Compromise (IOC)

  • hxxp[:]//51.178.25.148[:]8081/upload 
  • hxxp[:]//51.178.25.148[:]8081/dl/runtime 
  • hxxp[:]//51.178.25.148[:]8081/uploader 
  • hxxp[:]//51.178.25.148[:]8081/gethw 
  • hxxp[:]//51.178.25.148[:]8081/dl/system 
  • hxxp[:]//51.178.25.148[:]8081/getip 
  • hxxp[:]//51.178.25.148[:]8081/dl/uwu 
  • hxxp[:]//51.178.25.148[:]8081/rooter 
  • hxxps[:]//pastebin.com/raw/TwHdexDC 
  • hxxps[:]//canary.discord.com/api/webhooks/1153431050517762059/MAkfrB4n1Gz6qe7W8ffWTZF92yfN3D_FWPFFaK_FBgDQWB1ZYfbKHa61X_8L6GK175r0 
  • hxxps[:]//canary.discord.com/api/webhooks/1155235432406196334/3eFtMXnG2laJjInzO_kAzLbW6ebMgbrrwmAcRtZyOfqnyCh-twTT9pSumcKr5QJvbGEZ 
  • hxxps[:]//canary.discord.com/api/webhooks/1152716297474424913/z6-hvrQNeyL0m1Mm34JLYj1VVB67sVEXogqJzGCkxYgMFCgCWhQaR07ruMBck1dJAi9g 
  • hxxp[:]//51.178.25.148[:]8081/dl/sys86 
  • hxxp[:]//51.178.25.148[:]8081/dl/gamesdk 
  • hxxps[:]//canary.discord.com/api/webhooks/1152648911371120681/JlL5FnwmY6nP6RaZxmQ7NI9MGR6HARmAekaPqPDdVTq9K3RJ68Lcd7cz16l9u6eZH9c3 
  • hxxps[:]//discord.com/api/webhooks/1103033150558457876/22oUF1rkDTdxz-iq-2EOR4aVXwDr5vFIeE9zWlitIbYSG2E3XhF8KQIzuo1uXy_bOcos 

What to do

Unfortunately the open source world as magical as it is is always under the “human influence”, so those cases will never cease to exist.

But, at least, we know for a fact that PyPi is working hard to avoid this from happening again.

So, quoting myself from another post:

Misreading, my best ally

Me

So, the only things that can actually avoid catastrophic results from this situation is to choose between this options at least one:

  1. Double checking what you write/read
  2. Check the code you just retrieved
  3. Use specific software like socket

As always,

Stay Safe !