CheckPoint researchers discovered a malicious package, named ‘apicolor,’ on the Python Package Index (PyPI) that uses steganographic to hide malware within image files.
The malicious package infects PyPI users through open-source projects on Github.
The package was uploaded to PyPI on October 31, 2022, it had a vague header stating this is a ‘core lib for REST API’.
The analysis of the package installation script revealed a code section at the beginning. It starts by manually installing extra requirements, then it downloads an image (“8F4D2uF.png”) hosted on Imgur and uses the newly installed package, called judyb, to process the picture and trigger the processing generated output using the exec command.
“The two packages being manually installed are requests (quite popular helper package for API usage), and judyb. The judib package details initially seem like an ‘in progress’ package, having an empty description and a vague header stating this is ‘a pure Python judyb module’.” reads the analysis published by CheckPoint “A deeper look revealed judib was first released around the same time as apicolor.”
“The judyb code turned out to be a steganography module, responsible hiding and revealing hidden messages inside pictures. Check Point Research suspected that the image downloaded during the apicolor installation may include a hidden part inside of it.”
The judyb package was used to extract obfuscated Python code hidden in the image, once decoded it retrieves and executes a malicious binary from a remote server.
The experts searched for code projects using the above packages and discovered that apicolor and judib have low usage on GitHub projects.
Experts recommend to consider only open-source projects with a reputation, taking care of the positive feedback and the number of forks. One of the projects analyzed by the researchers, despite fitting with this criteria, have dozens of stars and hundreds of forks that were synthetically generated. The experts noticed only a single forking account and a set of staring accounts that were used to provide positive feedback to the project as part of the malicious campaign.
“Researchers are seeing a new type of organized attacks. Threat actors have progressed from the ‘mimic a common package and slightly hide your malicious code’ technique. They are creating organized campaigns that directly target certain types of users.” Check Point concludes. “Moving the infection phase from the highly watched PyPI platform to a more crowded domain, such as GitHub, makes detecting malicious packages more difficult. These type of attacks seem to target users working from home, likely individuals who use their corporate machines for side projects.”
(SecurityAffairs – hacking, Moshen Dragon)