New malicious PyPl can slither onto your device using sneaky tactics

The Python banner logo on a computer screen running a code editor.
(Image credit: Shutterstock / Trismegist san)

Hackers have been spotted combining two known methods to try and deliver malware to Python developers: DLL side-loading, and typosquatting.

Cybersecurity researchers from ReversingLabs recently spotted two Python packages on the PyPI repository, called NP6HelperHttptest and NP6HelperHttper which if installed, could grant the attackers the ability to run malicious code on the vulnerable endpoints.

The Hacker News says these two are actually typosquatted versions of NP6HelperHttp and NP6HelperConfig, helper tools for a marketing automation solution published by employees of ChapsVision.

Deploying Cobalt Strike beacons

Obviously whoever built these malicious packages was betting on Python developers searching for these tools and accidentally picking the wrong ones. Those that make that mistake will get a script, which downloads two files: a malicious DLL to be side-loaded - dgdeskband64.dll, and an executable vulnerable to side-loading - ComServer.exe.

In the process, the executable calls on the DLL, which reaches out to a domain under the attackers’ control, and grabs a GIF. That file is actually shellcode for a Cobalt Strike beacon. The researchers believe these two packages are part of a bigger malicious campaign.

"Development organizations need to be aware of the threats related to supply chain security and open-source package repositories," security researcher Karlo Zanki said. "Even if they are not using open-source package repositories, that doesn't mean that threat actors won't abuse them to impersonate companies and their software products and tools."

In total, the two packages were downloaded around 700 times before they were spotted and removed from the repository.

Supply chain attacks through PyPI are nothing new. Just a week ago, researchers from Phylum warned of more than 400 malicious packages being spread through PyPI, exfiltrating people’s data, compromising applications, and stealing cryptocurrencies. Most of the attackers deploy the typosquatting technique, trying to trick people into downloading a malicious package.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.