Japan's Computer Security Incident Response Team (JPCERT/CC) is warning that the notorious North Korean hacking group Lazarus has uploaded four malicious PyPI packages to infect developers with malware.

PyPI (Python Package Index) is a repository of open-source software packages that software developers can utilize in their Python projects to add additional functionality to their programs with minimal effort.

The lack of strict checks on the platform allows threat actors to upload malicious packages like information-stealing malware and backdoors that infect developers' computers with malware when added to their projects. 

This malware allows the hacking group to access the developer's network, where they conduct financial fraud or compromise software projects to conduct supply chain attacks.

Lazarus previously leveraged PyPI to distribute malware in August 2023, when the North Korean state-sponsored hackers submitted packages camouflaged as a VMware vSphere connector module.

Lazarus' new PyPi packages

Today, JPCERT/CC is warning that Lazarus has once again uploaded packages to PyPi that will install the 'Comebacker' malware loader.

The four new packages that JPCERT/CC attributes to Lazarus are:

The first two packages' names create a false link to the legitimate 'pycrypto' project (Python Cryptography Toolkit), a collection of secure hash functions and various encryption algorithms downloaded 9 million times every month.

None of the four packages are currently available on PyPI, as they were removed from the repository as recently as yesterday. 

However, download stats tracking platform PePy reports a total installation count of 3,252, so thousands of systems have been compromised by Lazarus malware.

The malicious packages share a similar file structure, containing a 'test.py' file that isn't really a Python script but an XOR-encoded DLL file executed by the '__init__.py' file, which is also included in the package.

Decoding and executing test.py (JPCERT/CC)

The execution of test.py triggers the decoding and creation of additional DLL files that falsely appear as database files, as shown in the following diagram.

Execution chain (JPCERT/CC)

The Japanese cybersecurity agency says that the final payload (IconCache.db), executed in memory, is a malware known as "Comebacker," first identified by Google analysts in January 2021, who reported that it was used against security researchers.

The Comebacker malware connects to the attacker's command and control (C2) server, sends an HTTP POST request with encoded strings, and waits for further Windows malware to be loaded in memory.

Based on various indicators, JPCERT/CC says this latest attack is another wave of the same campaign Phylum reported in November 2023 involving five crypto-themed npm packages.

Lazarus has a long history of breaching corporate networks to conduct financial fraud, usually to steal cryptocurrency.

Previous attacks attributed to Lazarus include the theft of $620 million worth of Ethereum from Axie Infinity's Ronin network bridge and other crypto thefts on Harmony HorizonAlphapoCoinsPaid, and Atomic Wallet.

In July, GitHub warned that Lazarus was targeting developers at blockchain, cryptocurrency, online gambling, and cybersecurity companies using malicious repositories.

Related Articles:

ScreenConnect flaws exploited to drop new ToddlerShark malware

Lazarus hackers exploited Windows zero-day to gain Kernel privileges

North Korean hackers linked to defense sector supply-chain attack

North Korean hackers now launder stolen crypto via YoMix tumbler

New WogRAT malware abuses online notepad service to store malware