hello@striano.io

USA +1 (561) 879 8966

UK +44 (20) 3807 4004

hello@striano.io

USA +1 (561) 879 8966

UK +44 (20) 3807 4004

USA

UK

Researchers at ReversingLabs have identified Python packages employing DLL sideloading as a method to circumvent security tools. Discovered on January 10, 2024, by Karlo Zanki, a reverse engineer at ReversingLabs, the suspicious packages named NP6HelperHttptest and NP6HelperHttper utilize DLL sideloading, a technique known for discreetly executing code and evading security tool detection.

This revelation underscores the increasing threat within software supply chains, where malicious actors exploit vulnerabilities in open-source ecosystems. The incident emphasizes the challenges developers encounter in verifying the quality and authenticity of open-source modules within the vast and dynamic landscape of available code.

The malicious packages, disguised with names closely resembling legitimate ones, aimed to trick developers into unknowingly incorporating them into their projects—a tactic known as typosquatting, one of many methods attackers use to infiltrate legitimate software supply chains.

Further investigation revealed that the malicious packages targeted existing PyPI packages, NP6HelperHttp and NP6HelperConfig, originally published by a user named NP6. Although NP6 is associated with Chapvision, a marketing automation firm, the PyPI account was linked to the personal account of a Chapvision developer. Chapvision subsequently confirmed the legitimacy of the helper tools and removed the malicious packages from PyPI.

Analysis of the malicious packages unveiled a sophisticated approach, where a setup.py script downloaded both legitimate and malicious files. Notably, the malicious DLL, dgdeskband64.dll, was crafted to exploit DLL sideloading, a technique commonly used by cybercriminals to load malicious code while evading detection.

Further scrutiny exposed a broader campaign, with additional samples showing similar characteristics. ReversingLabs’ Titanium Platform, utilizing YARA Retro Hunt, identified related samples indicating a coordinated effort by threat actors.

The malicious code embedded within the DLL utilized an exception handler to execute shellcode, establishing a connection with an external server to download and execute payloads. Traces of Cobalt Strike Beacon, a red team security tool repurposed by threat actors, were also uncovered in the investigation.

This discovery underscores the increasing sophistication of malicious actors leveraging open-source infrastructure for their campaigns. It emphasizes the urgent need for developers and organizations to strengthen their software supply chains against such attacks, emphasizing proactive measures to ensure the integrity and security of their code repositories.

We provide comprehensive information about our services to help you make the best choice for your needs. Take your time to browse through our website and feel free to reach out if you have any questions.

Leave a Reply

Your email address will not be published. Required fields are marked *