Malicious PyPI Package Removes netstat, Tampers with SSH Config

Published on feb 13, 2023

According to a recent report by Sonatype security researcher Ax Sharma, malicious packages have been discovered in the PyPI registry, including aptx, which installs the Meterpreter trojan disguised as pip, deletes the netstat system utility, and tampers with the SSH authorized_keys file.

APTX is a new threat on PyPI named after the popular audio codec developed by Qualcomm and used in many Bluetooth devices. Other malicious packages include httops and tkint3rs. All of them employ a strategy designed to confuse individuals using purposefully crafted names. According to Sharma, httops and tkint3rs are misspellings of https and the tkinter Python interface, respectively.

According to Sonatype engineers, aptx has a setup.py manifest that can create an ELF binary named ./pip/pip. An attacker can gain shell access to an infected machine by using the Meterpreter trojan generated using Metasploit, a penetration testing tool. Netstat is also deleted by setup.py in order to make it difficult for a sysadmin to track active connections.

In their January 2023 Malware Monthly, Sonatype researchers provide details on dozen of other malicious packages found in PyPI and hundreds of new malicious packages in the NPM registry.

Several of them demonstrate novel attack strategies, such as detecting whether the host on which the malware is running is a virtual machine or a sandbox. Typically, malware exits immediately in these circumstances to prevent security researchers, who will likely install the package in a virtual machine or sandbox, from discovering it.

RAT (remote access trojan) mutants are another new tactic employed by recent malware. They utilize polymorphic payloads that change every time the binary is executed to evade detection. These RAT mutants often combined the capabilities of remote access trojans with information stealers in order to gain access to clipboard data or wallet information.

Using Sonatype, Sonatype identified packages that, while not being an immediate threat, should be considered malicious. Over 33k packages were published under the scope of “infinitebrahmanuniverse” and with the “nolb-” prefix, with the sole purpose of creating a dependency on any other NPM package. According to Sonatype, this brings the “dependency hell” problem to an entirely new level. It is possible for an attacker to create a malicious package that relies on some of those nolb- packages to execute a denial of service attack against a company’s download channel and consume excessive amounts of resources as a result.

The Malware Monthly reports that another trend that has gained traction recently is that of cryptominers, that is, trojans that use your computational power to mine cryptocurrency.