In order to infect developer systems with malware, the notorious North Korean state-backed hacking organization Lazarus uploaded four packages to the Python Package Index ( PyPI ) repository.
Pycryptoenv, pycryptoconf, quasarlib, and swapmempool are the now-defunct packages. Together, they have been downloaded 3, 269 times, with pycryptoconf accounting for 1, 351 of those downloads.
According to JPCERT/CC researcher Shusei Tomonaga, the package names pycryptoenv and pycryptoconf are similar to pycrypto, a Python package used to create encryption algorithms. According to the attacker, the malware-containing malicious packages were probably created to fix users ‘ errors when installing Python packages.
The disclosure comes a day after Phylum found a number of phony programs on the npm registry that were being used to identify software developers as part of a Contagious Interview campaign.
The malicious code is concealed within a test script ( “test” ), which is an interesting commonality between the two sets of attacks. “py” ). The test file is merely a smokescreen for what is an XOR-encoded DLL file in this situation, which results in two IconCache DLL files. db and NTUSER. DAT.
NTUSER is then used in the attack sequence. IconCache needs to be loaded and executed quickly. db, a malware known as Comebacker, that uses a command-and-control ( C2 ) server to retrieve and execute a Windows executable file.
The packages, according to JPCERT/CC, are a continuation of a Phylum first described in November 2023 as utilizing crypto-themed npm modules to deliver Comebacker.
According to Tomonaga, “attackers may be attempting to get users ‘ typos to download the malware.” Please be careful to avoid installing unnecessarily when installing modules and other types of software in your development environment.