SecurityBrief UK - Technology news for CISOs & cybersecurity decision-makers
United Kingdom
Guides
#
cloud security
#
cybersecurity
#
endpoint protection
#
firewall
#
ransomware
Search
Story image
#
Advanced Persistent Threat Protection
#
Blockchain
#
Cryptocurrency
Malicious Python projects targeting Linux, Windows systems
Thu, 28th Dec 2023
Author image
By Shannon Williams, Journalist
Follow us

ESET Research has uncovered a series of harmful Python projects on PyPI, the official Python package repository.

According to ESET, both Linux and windows systems are targeted by these cyber threats, which typically deliver a customised cyberespionage backdoor. This allows remote command execution, file exfiltration, and sometimes even the ability to take screenshots.

Marc-tienne Lveill, an ESET researcher, identified and analysed the malicious packages. In some cases, the final payload is a version of the notorious W4SP Stealer, designed to steal personal data and credentials. Alternatively, a straightforward clipboard monitor is used to steal cryptocurrency predominantly Bitcoin, Ethereum, Monero, and Litecoin.

ESET Research says the cyber espionage threat was downloaded more than 10,000 times, with victims averaging to 80 downloads per day from May 2023. Over 116 files across 53 projects that contain malware were discovered by ESET. Despite their similar names to legitimate packages, ESET researchers believe the primary installation method isn't through 'typosquatting', rather it's social engineering: victims are guided through the pip-process to install an interesting package.

Following the release of this research, the majority of the packages have been removed from PyPI. ESET has worked in conjunction with PyPI to take actions regarding the remaining packages. As it stands, all known malicious packages have been taken offline. PyPI is favored among Python programmers as a platform for code sharing and downloads. However, the inclusivity of the repository can backfire as malware, disguised as legitimate, popular code libraries, can seep in.

The threat actors behind this campaign have been seen using three techniques for integrating malicious code into the Python packages. The first method involves inserting a test module with slightly obfuscated code inside the package. The second approach is to embed PowerShell code in the setup.py file usually automatically run by package managers like pip to aid in the installation of Python projects. The third technique finds the operators making no attempts to include legitimate code in the package, resulting in only the malicious code appearing in a slightly obfuscated form.

Typically, the final payload will be a custom backdoor capable of executing remote commands, exporting files, and sometimes taking screenshots. On Windows systems, the backdoor is implemented through Python, whereas on Linux it is executed through the Go programming language. In certain cases, the notorious W4SP Stealer is used as an alternative to the backdoor, or a simple clipboard monitor is employed to steal cryptocurrency or both.

Lveill advises Python developers to carefully examine the code they download before installing it onto their systems. His findings suggest that this kind of abuse of PyPI is likely to continue and he therefore urges developers to proceed with caution when installing code from any public software repository.

Related stories
Smarttech247 & SentinelOne launch AI-powered cybersecurity for SMEs
GitHub's 2FA initiative helps secure software supply chain
Jason Haddix joins Flare as Field Chief Information Security Officer
High Performance Podcast duo to keynote Infosecurity Europe conference
New UK cybersecurity law takes effect amid evolving threats
Top stories
The messaging evolution and the fight against fraud
Zscaler introduces enhanced ZDX service for improved IT operations
The importance of cybersecurity training for software developers
HID acknowledged as Leader in Gartner Magic Quadrant for Indoor Location Services
Exclusive: How Darktrace is tackling AI-driven cybersecurity