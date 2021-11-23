Security specialists from the firm JFrog have reported a discovery of 11 malicious Python packages in the Python Package Index repository (PyPI, which is the official software repository for third-party applications in the Python programming language), apparently designed to steal access tokens from platforms like Discord. It has also been seen that it can intercept passwords and deploy substitution attacks.

The package names found are importantpackage / important-package, pptest, ipboards, owlmoon, DiscordSafety, trrfab, 10Cent10 / 10Cent11, yandex-yt, and yiffpartylos. Those who have discovered these problems warn “importantpackage” that it abuses the TLS CDN termination for data theft, in addition to using Fastly CDN to hide malicious communications with the C&C server.

Different attack techniques





Another technique used by some of these malicious Python packets to evade network-based detection is to use the Fastly content delivery network (CDN) to disguise communications with the C2 server as a communication with pypi.org.

Attackers are also using the TrevorC2 framework to implement certain commands on the sly. In the words of “Using this framework, the client contacts the server in a similar way as it would by browsing the normal for a website, which makes the traffic even darker. “With this technique, the user sends requests hiding the payload in typical HTTP GET requests.

Another popular type of evasion from the net used by malware developers is DNS tunnel. “Although it is not a new technique, it is the first time that we see this evasion method used in malicious packages uploaded to PyPI”, they have said from the company that has discovered these attacks that use Python. As can be deduced from its name, this technique uses DNS requests as a communication channel between the victim machine and the C2 server.