Researchers found that the malware infected 4 Python Package Index (PyPI). These malicious software can make some changes to the computer on which it is installed.
It can take a number of dangerous actions. Dropping malware, deleting the netstat utility, and manipulating the SSH authorized_keys file. Unfortunately, these packages were downloaded by many users until the spyware was detected.
Packages containing malware have been downloaded 450 times!
When attention is paid to their names, it is seen that these names were not chosen by chance. aptx is a copyrighted product of Qualcomm. It basically aims to transmit sound losslessly. httops, on the other hand, is similar in name to https, which we are all familiar with. tkint3rs is an imitation of tkinter.
“Most of these packages had well thought out names, to purposely confuse people,” security researcher and journalist Ax Sharma said. An analysis of the malicious code injected in the setup script reveals the presence of an obfuscated Meterpreter payload that’s disguised as “pip,” a legitimate package installer for Python which can be leveraged to gain shell access to the infected host.
It also takes steps to remove the netstat command line utility used to monitor network configuration and activity and modify the .ssh/authorized_keys file to install an SSH backdoor for remote access.
FortiGuard Labs is the threat intelligence and research organization at Fortinet. They’re uncovering five different Python packages. These are web3-essential, 3m-promo-gen-api, ai-solver-gen, hypixel-coins, httpxrequesterv2, and httpxrequester to infiltrate the system and access sensitive information they are designed.
Python is a popular, constantly updated programming language suitable for data processing and cyber security. Widely used by many corporate companies and start-ups. Python may have been chosen as a target because it is also a popular language among cybersecurity professionals. What do you think about this subject? Please share your opinion with us in the comments!