Lazarus Hacking Group’s Malicious Python Packages Uncovered

Security researchers warn of a new wave of malicious Python packages uploaded to PyPI, the official Python repository. This attack, attributed to the infamous Lazarus hacking group, leverages a dangerous tactic: preying on developers’ typos to install malware disguised as legitimate tools.

Inside the Trojan Packages

JPCERT/CC’s latest investigation has unveiled a cunning strategy by Lazarus, involving the release of four Python packages:

Python packages released by Lazarus attack group

• pycryptoenv
• pycryptoconf
• quasarlib
• swapmempool

These packages, notably similar in name to the legitimate encryption package pycrypto, appear to have been crafted to exploit typos by unsuspecting users during package installation. This typographical trojan horse represents a broader tactic of leveraging human error to facilitate the deployment of malware.

These packages are the initial entry point for this sophisticated attack. Let’s dissect the malware’s intricate workings:

• Hidden Payload: Each package holds a concealed XOR-encoded DLL file. This evasive tactic makes it harder for automated scanners to detect. Delving into the file structure of these packages, with pycryptoenv serving as a primary example, reveals a chillingly efficient approach to cyber sabotage. The package contains a file named test.py, not an innocuous Python script as one might expect, but a binary data file masquerading as an encoded DLL. This file, when decoded and executed by the accompanying init.py script, unleashes a malware known as Comebacker. This malware was previously used by Lazarus in targeted attacks against security researchers.
• Layered Execution: The execution of the Comebacker malware is not immediate upon the installation of the malicious package. Instead, it requires the execution of a separate Python script that activates the crypt function, showcasing a layer of obfuscation in the malware’s deployment. Once this script is run, the test.py file undergoes XOR-decoding, transforming into output.py and subsequently executed as a DLL. This process spawns additional DLL files, including IconCache.db and NTUSER.DAT, which harbor the primary payload of the malware, executed directly in memory to avoid detection. This type of payload has been Lazarus’ weapon of choice for years.
• Self-Preservation: Files like ‘IconCache.db’ and ‘NTUSER.DAT’ are generated and executed, ensuring the malware maintains its grip on the compromised system.

The Attack’s Modus Operandi

1. Typosquatting: Developers installing packages in a hurry might easily mistype common library names and unknowingly install the malicious versions.
2. Disguise: The payload isn’t directly executable, tricking users into thinking the package is safe. The attackers likely have other methods to trigger the malicious code.
3. Command and Control: ‘Comebacker’ establishes communication with its C2 server. It sends system details, awaits further instructions, and can download and execute additional payloads.

Lazarus’ Signature and Evolving Tactics

The Lazarus Group‘s fingerprint is evident not only in the structure and functionality of these packages but also in the unique characteristics of the encoded files. One notable feature is the presence of repeated 66 66 66 66 commands, a hallmark of Lazarus’s encoding practices found across various malware strains, including the notorious BLINDINGCAN.

With download counts ranging from 300 to 1,200, the potential impact of these malicious packages is not to be underestimated. The Lazarus hacking group’s strategy of targeting typographical errors highlights a critical vulnerability in software development practices: the human element. This incident serves as a stark reminder of the importance of exercising caution and due diligence when installing packages, especially in environments critical to development and operational security.