Posted on August 16, 2022 at 7:47 PM
Hackers Are Targeting Counter-Strike Servers Using Malicious PyPi packages
A recent report has revealed that a dozen malicious packages have been uploaded to the PyPi repository after a typosquatting attack on a Counter-Strike 1.6 server. The report also revealed that the threat actors used distributed denial of service (DDoS) attacks as their main strategy. The Python Package Index (PyPi) is a repository of open-source software packages that allow developers to easily used it for their Python projects to design complex apps with little effort.
But the repository is open for anyone to upload packages, and they are not pulled down unless they are reported as malicious. As a result, the repository has seen more abuse by hackers who use it to deploy malware or steal developer credentials.
Researchers Reported A Malicious Typosquatting Campaign
Checkmarx research reported that a user with the pseudonym “devfather777, released 12 packages that utilized the name similar to other popular packages to deceive software developers into using the malicious version. These types of campaigns, called typosquatting attacks, target developers who are convinced to use a malicious package thinking it is the genuine package. They are usually meant to look like a legitimate package. For instance, some of the packages and their legitimate counterparts in the campaign include address, TensorFlow, and Gesnim.
Since software developers generally get the packages from the terminal, it is easier to type its name with a letter in the wrong order. Also, the victim will not realize and goes on to infect their device since the download and build continue as expected.
The Malware Can Inject Expired System-Wide Root Certificate
At the time of writing, the packages are still there despite being reported by CheckMarx. After downloading and utilizing one of the malicious Python packages in their application, the embedded code tries to find out whether the host is a Windows system. After verifying the identity and confirming it’s indeed a Windows system, it goes on to download a payload from GitHub. VirusTotal was used to scan the code, and it was discovered that out of 69 antivirus engines, only 11 of them mark the file as malicious. This means they are relatively new malware written in C++.
The malware self-installs and creates a Startup entry to gain persistence between system reboots. Additionally, it is capable of injecting expired system-wide Root certificates.
Additionally, it receives its configuration by linking up with hardcoded URLs. It keeps trying until it succeeds. But after the third try, it sends requests to domain generation algorithm (DGA) addresses and waits for a response.
The GitHub Repository As Been Removed, But Threat Is Not Over
In a recent post, Checkmarx noted that this is the first time a malware strain has been seen in the software supply chain ecosystem utilizing UGA to give identities for new instructions for a malicious campaign.
As observed by the team, the configuration informed the malware to send the host into a DDoS bot that started sending traffic to a Russian Counter-Strike 1.6 server. Based on the activities of the malware, the objective seems to remove the Counter-Striker server by planting malware in several devices that eventually overwhelm the server. This makes it easier for the threat actors to begin their malicious activities and take control of the servers.
The report also stated that the GitHub repository utilized to host the malware has been removed. However, the threat is not over yet. The hackers or bad actors can restart the malicious campaign by abusing s different file hosting services. As a result, users have been warned to step up their security system to deal with any reoccurrence or fresh targets from hackers.
There Is No Guarantee That A Package Is Highly Secure
Users who are using the 12 mentioned packages are at the most risk of being targeted and infected. The security team has advised that those using such packages who may have made a typing error should double-check and scrutinize their projects and make sure they are using the right software packages.
Those that have downloaded any of the packages are told to consider themselves compromised. In this case, they should take the right actions to limit the impact of the breach.
In several cases, the malicious cases prepare the ground for possible supply chain attack, as the developers’ system can sometimes be by the initial point of infection. Also, security researchers have warned that there is no package in the PyPI that can be considered guaranteed when it comes to security. And since users are responsible for supervising and monitoring the legitimacy of these contents, there is no way a package can claim to be highly secure.
