- Socket found seven malicious packages in Pypi
- The packages were abusing Gmail and Websocket
- They were removed from the platform
Recently several malicious Pypi packages were observed abusing Gmail to exfiltrate sensitive data to stolen and communicate with their operators.
Cybersecurity researchers Socket, who found the packages, informed them to the Python repository and, therefore, helped eliminate them from the platform, however, the damage has already been done.
According to Socket, there were seven malicious Pypi packages, some of which were on the platform for more than four years. Accumulatively, they had more than 55,000 downloads. Most are an imitation of the legitimate coffin, with names such as Coffin-Codes-Pro, Coffin-Codes, Net2, Coffin-Codes -net, Coffin-Codes-2022, Coffin2022 and Coffin-Grave. One was called CFC-BSB.
Committed accommodation accounts
The researchers explained that once the package is installed on the victim device, it connects to Gmail using coded credentials and contacts the C2 server.
Then create a tunnel with websockts, and since Gmail’s email server is being used for communication, communication omits most firewalls and other security measures.
As a result, attackers can send commands, steal files, run code and even access systems remotely.
However, it seems that criminals were mainly interested in cryptography, since one of the email addresses that malware was reaching the words “blockchain” and “bitcoin” it it: it:
“Coffin-Codes-Pro establishes a connection with the Gmail SMTP server using coded credentials, namely spphaacoffin@gmail[.]Command a password, ”says the report.
“Then send a message to a second email address, blockchain[.]Bitcoins2020@gmail[.]comment indicating politely and recently that the implant is working. “
Socket has warned all Python users who execute any of the packages in their environment to immediately eliminate them and turn the keys and credentials as necessary.
The researchers also urged everyone to observe unusual output connections, “especially SMTP traffic”, and warned them that they did not trust a package just because I was a few years old.
“To protect your code base, always verify the authenticity of the package by controlling download counts, editor’s history and github repository links,” they added.
“Regular dependency audits help catch unexpected or malicious early packages. Keep strict access controls in private keys, carefully limiting who can see them or import them in development. Use isolated and dedicated environments when you try third -party scripts to contain a potentially harmful code.”
Through Bleepingcomputer
