Japan’s Computer Security Incident Response Team (JPCERT/CC) is warning that the notorious North Korean hacking group Lazarus has uploaded four malicious PyPI packages to infect developers with malware.
PyPI (Python Package Index) is a repository of open-source software packages that software developers can utilize in their Python projects to add additional functionality to their programs with minimal effort.
The lack of strict checks on the platform allows threat actors to upload malicious packages like information-stealing malware and backdoors that infect developers’ computers with malware when added to their projects.
This malware allows the hacking group to access the developer’s network, where they conduct financial fraud or compromise software projects to conduct supply chain attacks.
Lazarus previously leveraged PyPI to distribute malware in August 2023, when the North Korean state-sponsored hackers submitted packages camouflaged as a VMware vSphere connector module.
Lazarus’ new PyPi packages
Today, JPCERT/CC is warning that Lazarus has once again uploaded packages to PyPi that will install the ‘Comebacker’ malware loader.
The four new packages that JPCERT/CC attributes to Lazarus are:
The first two packages’ names create a false link to the legitimate ‘pycrypto’ project (Python Cryptography Toolkit), a collection of secure hash functions and various encryption algorithms downloaded 9 million times every month.
None of the four packages are currently available on PyPI, as they were removed from the repository as recently as yesterday.
However, download stats tracking platform PePy reports a total installation count of 3,252, so thousands of systems have been compromised by Lazarus malware.
The malicious packages share a similar file structure, containing a ‘test.py’ file that isn’t really a Python script but an XOR-encoded DLL file executed by the ‘__init__.py’ file, which is also included in the package.
The execution of test.py triggers the decoding and creation of additional DLL files that falsely appear as database files, as shown in the following diagram.
The Japanese cybersecurity agency says that the final payload (IconCache.db), executed in memory, is a malware known as “Comebacker,” first identified by Google analysts in January 2021, who reported that it was used against security researchers.
The Comebacker malware connects to the attacker’s command and control (C2) server, sends an HTTP POST request with encoded strings, and waits for further Windows malware to be loaded in memory.
Based on various indicators, JPCERT/CC says this latest attack is another wave of the same campaign Phylum reported in November 2023 involving five crypto-themed npm packages.
Lazarus has a long history of breaching corporate networks to conduct financial fraud, usually to steal cryptocurrency.
Previous attacks attributed to Lazarus include the theft of $620 million worth of Ethereum from Axie Infinity’s Ronin network bridge and other crypto thefts on Harmony Horizon, Alphapo, CoinsPaid, and Atomic Wallet.
In July, GitHub warned that Lazarus was targeting developers at blockchain, cryptocurrency, online gambling, and cybersecurity companies using malicious repositories.