web analytics

Malicious Python Package Exfiltrates AWS Credentials – Source: www.govinfosecurity.com

Rate this post

Source: www.govinfosecurity.com – Author:

Security Operations

Developers’ Credentials Stolen via Typosquatted ‘Fabric’ Library Prajeet Nair (@prajeetspeaks) • November 11, 2024    

Malicious Python Package Exfiltrates AWS Credentials
Image: Shutterstock

A malicious Python package that mimics a popular SSH automation library has been live on PyPi since 2021 and delivers payloads that steal credentials and create backdoors.

See Also: Webinar | Prisma Access Browser: Boosting Security for Browser-Based Work

Application security company Socket said said that operators behind the malicious fabrice package – a misspelling of the legitimate fabric library – appear intent on stealing AWS credentials from developers.

Once installed, the malicious package steals AWS access and secret keys, sending them to a remote server operated through a VPN in Paris, masking the attacker’s true identity and location, researchers said.

PyPI, a widely used repository for Python libraries, has frequently been targeted by malicious actors. A North Korean hacking group with a history of stealing cryptocurrency poisoned Python packages in September, targeting developers working on the Linux and macOS operating systems in an apparent attempt at a supply chain attack (see: North Korea Targets Software Supply Chain Via PyPI).

According to Socket, fabrice operates by executing platform-specific scripts that vary between Linux and Windows environments.

On Linux systems, it creates hidden directories within user folders, downloads external scripts and obfuscates URLs to conceal its malicious intent.

The linuxThread function within the package downloads and executes these scripts, storing them in hidden directories such as ~/.local/bin/vscode, which are challenging to detect. Through encoded payloads, these scripts access and exfiltrate sensitive credentials, including AWS keys, without the user’s knowledge.

The winThread function, deployed on Windows systems, leverages base64-encoded payloads to ensure persistence. It decodes specific variables to run scripts in the background and creates scheduled tasks that automatically execute malware every 15 minutes, ensuring ongoing access to the compromised system.

Once the scripts initiate, they download a secondary payload disguised as chrome.exe into the user’s downloads folder, enabling the attacker to maintain control over the machine.

Socket informed PyPI of the malicious package to initiate its removal, but it remains available as of the latest report. Socket urged developers to verify libraries before installation and consider using security tools to flag potentially malicious packages.

Original Post URL: https://www.govinfosecurity.com/malicious-python-package-exfiltrates-aws-credentials-a-26789

Category & Tags: –

Views: 1

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post