This week, Sonatype’s automated malware detection bots have discovered the malicious Python package ‘pymafka’ in the PyPI registry. The package appears to typosquat a legitimate popular library PyKafka, a programmer-friendly Apache Kafka client for Python. The development follows our discovery of another typosquat targeting the Apache Kafka project from earlier this month.
PyKafka includes Python implementations of Kafka producers and consumers and has been retrieved over 4,240,305 times by user-initiated downloads and mirrors/bots alike. By contrast, malicious ‘pymafka’ shows a download count of around 300 as Sonatype timely reported the finding to PyPI.
PyMafka drops Cobalt Strike on Windows, macOS
The ‘setup.py’ Python script inside ‘pymafka’ first detects your platform. Depending on whether you are running Windows, macOS, or Linux, an appropriate malicious trojan is downloaded and executed on the infected system.
The trojan in question is a Cobalt Strike (CS) beacon. Cobalt Strike is a pen-testing software tool typically used by red teams and ethical hackers for simulating real-world cyberattacks, especially during security assessments.
As evident from the code below, on Windows systems, the Python script attempts to drop the Cobalt Strike beacon at ‘C:\Users\Public\iexplorer.exe’.
The malicious executables being downloaded are ‘win.exe’ [VirusTotal], and ‘MacOS’ [VirusTotal], with their names corresponding to their target operating systems. Both of these are downloaded from the IP address 141.164.58[.]147, commissioned by the cloud hosting provider, Vultr.
These executables attempt to contact China-based IP 39.106.227[.]92, which is assigned to Alisoft (Alibaba).
On Windows, the payload also kept persistently surveying the ‘/updates.rss’ endpoint and sending encrypted cookie values in requests, a behavior consistent with Cobalt Strike beacons.
GET /updates.rss HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; LG; LG-E906)Host: 188.8.131.52:8445
For Linux systems, the Python script attempts to download and run an “env” executable from the IP address 39.107.154[.]72 (also Alibaba-owned), which at the time of analysis was down.
Researchers have reported these findings to the PyPI registry shortly after catching and analyzing the package and the malicious package was taken down yesterday, just before reaching ~300 downloads.
The indicators of compromise (IOCs) associated with this campaign are given below.
Python package ‘pymafka-3.0.tar.gz’: 4de4f47b7f30ae31585636afd0d25416918d244fcc9dfe50967a47f68bb79ce1