Malicious Python packages employ advanced detection evasion techniques

JFrog researchers have discovered 11 malicious Python packages on PyPI, the official third-party package repository for Python, which have been collectively downloaded over 41,000 times.

Malicious Python packages detection

This is not the first time that malicious packages have been successfully introduced into online package repositories and will surely not be the last. What’s worrying the researchers is that attackers are using increasingly advanced techniques to avoid detection.

Detection evasion techniques

The malicious packages – importantpackage, important-package, pptest, ipboards, owlmoon, DiscordSafety, trrfab, 10Cent10, 10Cent11, yandex-yt, and yiffparty – steal Discord tokens, establish a reverse shell over HTTP giving the attacker full control over an infected machine, or collect user information and send it via DNS tunneling to a server run by the attackers.

Another technique that some of these malicious Python packages use to evade network-based detection is to use the Fastly content delivery network (CDN) to disguise communications with the C2 server as a communication with

“The PyPI infrastructure is hosted on the Fastly CDN. This hosting uses the Varnish transparent HTTP proxy to cache the communication between clients and the backend. The traffic first goes into a TLS terminator for decryption, so the Varnish proxy can inspect the contents of the HTTP packet. The proxy analyzes the HTTP headers from the user’s request and redirects the request to the corresponding backend according to the Host header. The process then repeats itself in the reverse direction, allowing the malware to imitate duplex communication with PyPI. As a result, the command & control (C2) session is encrypted and signed with a legitimate server certificate, making it indistinguishable from communicating with legitimate PyPI resources,” JFrog researchers explained.

The attackers are also using the TrevorC2 framework to implement a masked command and control client. “Using this framework, the client contacts the server in a way that looks similar to standard website browsing, making the traffic even more obscure,” they noted.

Finally, there is indication that, at least in some cases, the attackers are exploiting dependency confusion to succeed in their intent. (Apiiro recently released Dependency Combobulator, a modular and extensible open source toolkit to detect and prevent dependency confusion attacks.)

“While this set of malicious packages may not have the same ‘teeth’ as our previous discoveries, what’s notable is the increasing level of sophistication with which they are executed. It’s not reaching for your wallet in broad daylight – but there is a lot more subterfuge going on with these packages, and some of them may even be setting up for a follow-up attack after the initial reconnaissance, instead of running a highly-compromising payload to start,” the researchers concluded.

As always, developers are advised to be extra careful when downloading packages from public repositories.

Don't miss