hello@striano.io

USA +1 (561) 879 8966

UK +44 (20) 3807 4004

USA

UK

Researchers at ReversingLabs have identified Python packages employing DLL sideloading as a method to circumvent security tools. Discovered on January 10, 2024, by Karlo Zanki, a reverse engineer at ReversingLabs, the suspicious packages named NP6HelperHttptest and NP6HelperHttper utilize DLL sideloading, a technique known for discreetly executing code and evading security tool detection.

This revelation underscores the increasing threat within software supply chains, where malicious actors exploit vulnerabilities in open-source ecosystems. The incident emphasizes the challenges developers encounter in verifying the quality and authenticity of open-source modules within the vast and dynamic landscape of available code.

The malicious packages, disguised with names closely resembling legitimate ones, aimed to trick developers into unknowingly incorporating them into their projects—a tactic known as typosquatting, one of many methods attackers use to infiltrate legitimate software supply chains.

Further investigation revealed that the malicious packages targeted existing PyPI packages, NP6HelperHttp and NP6HelperConfig, originally published by a user named NP6. Although NP6 is associated with Chapvision, a marketing automation firm, the PyPI account was linked to the personal account of a Chapvision developer. Chapvision subsequently confirmed the legitimacy of the helper tools and removed the malicious packages from PyPI.

Analysis of the malicious packages unveiled a sophisticated approach, where a setup.py script downloaded both legitimate and malicious files. Notably, the malicious DLL, dgdeskband64.dll, was crafted to exploit DLL sideloading, a technique commonly used by cybercriminals to load malicious code while evading detection.

Further scrutiny exposed a broader campaign, with additional samples showing similar characteristics. ReversingLabs’ Titanium Platform, utilizing YARA Retro Hunt, identified related samples indicating a coordinated effort by threat actors.

The malicious code embedded within the DLL utilized an exception handler to execute shellcode, establishing a connection with an external server to download and execute payloads. Traces of Cobalt Strike Beacon, a red team security tool repurposed by threat actors, were also uncovered in the investigation.

This discovery underscores the increasing sophistication of malicious actors leveraging open-source infrastructure for their campaigns. It emphasizes the urgent need for developers and organizations to strengthen their software supply chains against such attacks, emphasizing proactive measures to ensure the integrity and security of their code repositories.

We provide comprehensive information about our services to help you make the best choice for your needs. Take your time to browse through our website and feel free to reach out if you have any questions.

2 Responses

  1. My developer is trying tto persuade mme to move to .net
    from PHP. I have alwas disliked the idea because of the expenses.

    But he’s ttryiong none the less. I’ve been using WordPress on various websites for about a
    year and am anxious abput switching too another platform.
    I have heard great things about blogengine.net. Is there a way I ccan transfer
    all my wordpress posts into it? Any help would be greatly appreciated!

    Allso visit my web page … https://www.waste-Ndc.pro/community/profile/tressa79906983/

    1. Switching from PHP to .NET can offer better performance, security, and integration with Microsoft services. To migrate your WordPress site to BlogEngine.NET:

      Backup Your Site: Use plugins like UpdraftPlus.
      Export Content: Go to Tools > Export in WordPress.
      Install BlogEngine.NET: Download from GitHub.
      Import Content: Convert WordPress XML to BlogML and import.
      Customize: Choose and set up a theme, install extensions.
      SEO and Redirects: Set up 301 redirects to maintain SEO.
      Test: Ensure everything works properly before going live.
      For detailed steps, tools like WordPress to BlogML Converter can help. Feel free to ask if you need more info!