A sophisticated cyberattack campaign recently compromised the software supply chain, impacting both the Top.gg GitHub organization—a community of over 170,000 members—and several individual developers.
The attackers utilized a range of Techniques, Tactics, and Procedures (TTPs), such as account takeovers through stolen browser cookies, the submission of malicious code through verified commits, the creation of a custom Python mirror, and the publication of malicious packages on the PyPi registry. The campaign was notable for its silent execution, aimed at stealing sensitive information from victims through multiple malicious open-source tools, the distribution of a malicious dependency via a fake Python infrastructure, and the execution of a multi-stage, evasive malicious payload.
In this campaign, attackers deployed a fake Python packages mirror to distribute a poisoned copy of the “colorama” package and compromised several GitHub accounts, including that of a top.gg contributor. The sophistication of the attack was further demonstrated through the employment of social engineering tactics, Typosquatting, and strategic obfuscation techniques to minimize detection and maximize the spread of the malware.
Attack Campaign Overview
This campaign exploited the software supply chain through malicious open-source tools with appealing descriptions, likely catching the attention of users via search engines. The strategy involved distributing a compromised dependency from a counterfeit Python infrastructure, linking it to well-regarded projects on GitHub and legitimate Python packages. This method led to the compromise of GitHub accounts and the introduction of malicious Python packages, employing social engineering along the way.
Victim Account
Mohamed Dief, a security researcher, shared his experience of unknowingly downloading malware while working with Python. He encountered unusual error messages related to “colorama,” signaling the breach. Dief’s blog post highlights the attack’s stealth and its propagation through GitHub repositories.
Tactics and Techniques Employed
The attack relied on creating a counterfeit website mimicking a Python package mirror, an example of the technique typosquatting, in order to deceive users. A manipulated version of “colorama” hosted on this site and the takeover of reputable GitHub accounts were pivotal. The tampered “colorama” package concealed additional malicious code using whitespace, triggering a sequence of operations to fetch and execute further Python code. This phase involved library installations, data decryption, and embedding malware into systems. Obfuscation methods such as using non-Latin character strings and compression techniques obscured the malicious code’s intent.
The 5 Stages of the Attack
The campaign unfolds over five stages, each escalating the system’s compromise:
Stage 1: Initial Compromise through Malicious Downloads
- Action: The unsuspecting user downloads a malicious repository or package which contains a malicious dependency, specifically a tampered version of “colorama” from the typosquatted domain “files[.]pypihosted.org”.
- Objective: This stage aims to infiltrate the user’s system by convincing them to download what appears to be a legitimate package or repository, serving as the gateway for further malicious activities.
Stage 2: Execution of Embedded Malicious Code
- Action: Within the malicious “colorama” package, code identical to the legitimate version exists, except for a snippet of malicious code. Originally placed in “colorama/tests/init.py”, the code is later moved to “colorama/init.py” for more reliable execution. This snippet uses whitespace obfuscation to evade detection and initiates the execution of another Python code fetched from “hxxps[:]//pypihosted[.]org/version”.
- Objective: To execute the initial phase of the attack discreetly and prepare the system for further infection by installing necessary libraries and decrypting hard-coded data.
Stage 3: Fetching and Executing Further Malicious Code
- Action: The malware fetches additional, obfuscated Python code from an external link “hxxp[:]//162[.]248[.]100[.]217/inj” and executes it using “exec”.
- Objective: This stage aims to download and execute further malicious payloads, progressively deepening the system’s compromise.
Stage 4: System Persistence and Preparatory Actions for Data Theft
- Action: The obfuscated code checks the compromised host’s operating system and selects a random folder and file name to host the final malicious Python code retrieved from “hxxp[:]//162[.]248[.]100.217[:]80/grb”. It also modifies the Windows registry to create a new run key, ensuring the malware’s execution upon system reboot.
- Objective: To ensure persistence on the compromised system and prepare it for the final stage of the attack, facilitating continuous data theft without detection.
Stage 5: Extensive Data Theft
- Action: The final stage of the malware, sourced from a remote server, exhibits extensive data-stealing capabilities. It targets and steals information from a broad spectrum of applications and services, including web browsers, Discord, cryptocurrency wallets, Telegram sessions, computer files, and Instagram data. The malware also includes a keylogger component, capturing and transmitting the victim’s keystrokes to the attacker’s server.
- Objective: To exfiltrate as much sensitive data as possible from the compromised system, targeting a wide range of applications to maximize the potential gain from the attack. This stage represents the culmination of the attackers’ efforts, leveraging the initial compromise to achieve extensive data theft and possibly financial gain.
Event Timeline
- November 2022: A PyPI user by the name “felpes” uploaded three packages to the Python Package Index (PyPI), each containing different forms of malicious code.
- February 1, 2024: An attacker registered the domain “pypihosted[.]org”, laying the groundwork for a sophisticated Typosquatting attack.
- March 4, 2024: The GitHub account of a contributor to top.gg was compromised. Utilizing this access, the attacker committed malicious code to the repository of the organization, signifying an escalation in the attack campaign.
- March 5, 2024: The user “felpes” published the malicious package “yocolor” on PyPI. This package was designed as a vehicle for distributing the malware, indicating a strategic move to leverage the PyPI ecosystem for malicious purposes.
- March 13, 2024: Further expanding their Typosquatting efforts, the attacker registered another domain, “pythanhosted.org”. This action demonstrated a continued investment in infrastructure to support ongoing and future malicious activities.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
https://www.netizen.net/contact
