The infamous North Korean hacking group Lazarus has uploaded four packages to the Python Package Index (PyPI) repository with the aim of infecting developers’ systems with malware.
The packages, now removed, are pycryptoenv, pycryptoconf, quasarlib and swapmempool. They have been downloaded a total of 3,269 times, with pycryptoconf accounting for the most downloads at 1,351.
“The package names pycryptoenv and pycryptoconf are similar to pycrypto, which is a Python package used for encryption algorithms in Python,” said JPCERT/CC researcher Shusei Tomonaga. “Therefore, the attacker likely prepared the malicious packages containing malware to target users’ typos when installing Python packages.”
The disclosure comes just days after Phylum discovered several rogue packages in the npm registry that were used to target software developers as part of a campaign codenamed Contagious Interview.
An interesting commonality between the two types of attacks is that the malicious code is hidden within the test script (“test.py”). In this case, however, the test file is simply a smokescreen for what is an XOR-encoded DLL file, which, in turn, creates two DLL files named IconCache.db and NTUSER.DAT.
The attack sequence then uses NTUSER.DAT to load and execute IconCache.db, a malware called Comebacker that is responsible for establishing connections with a command and control (C2) server to retrieve and execute a Windows executable file.
JPCERT/CC said the packages are a continuation of a campaign that Phylum first described in November 2023 to leverage crypto-themed npm modules to deliver Comebacker.
“Attackers could target users’ typos to download malware,” Tomonaga said. “When installing modules and other types of software in your development environment, do so carefully to avoid installing unwanted packages.”