Threat actors have deployed malicious Python packages on the PyPI repository that implant backdoors disguised as debugging utilities, enabling remote code execution and data exfiltration. This campaign is likely linked to a pro-Ukraine hacktivist group targeting Russian interests amid ongoing geopolitical tensions. #PyPI #OpenSourceSoftwareSecurity
Keypoints
- A malicious PyPI package named “dbgpkg” pretends to be a Python debugger but implants a backdoor on systems that install it.
- The campaign also involves related malicious packages “discordpydebug” and “requestsdev,” all containing the same backdoor payload.
- The backdoor uses Python function wrappers (decorators) on the requests and socket modules to stealthily intercept network communications and execute malicious code.
- Detection is difficult because the malicious code activates only when hooked modules are invoked, leveraging trusted system modules to evade discovery.
- The campaign is attributed with some confidence to a hacktivist group known as Phoenix Hyena, which supports Ukraine and targets Russian entities.
- Previously discovered packages like discordpydebug have remained undetected for years, indicating the threat actor’s sophistication and long-term persistence strategy.
- Several identified malicious packages impersonate legitimate developers by using spoofed email addresses to gain trust within the developer community.
MITRE Techniques
- [T1204] User Execution – The malicious packages rely on developers downloading and installing counterfeit debugging utilities to trigger the backdoor installation. (“…sells the malicious packages to developers as handy debugging utilities…”)
- [T1059.004] Command and Scripting Interpreter: Python – Malicious Python code uses function wrappers and decorators to implant backdoors and execute payloads. (“…code from the init.py file creates function wrappers for all callable attributes from the requests and socket modules…”)
- [T1105] Ingress Tool Transfer – The backdoor checks for a file and executes curl commands to retrieve additional scripts or tools during installation. (“…three curl commands get executed…”)
- [T1071.001] Application Layer Protocol: Web Protocols – The malware uses requests and socket modules to establish network communications for command and control and data exfiltration. (“…wrappers for callable functions are then created upon accessing attributes from those two modules…”)
- [T1566] Phishing – Attackers seeded links to malicious packages via developer forums and Discord channels to trick developers into installing them. (“…malicious actors behind it seeded links to the package on Discord forums…”)
Indicators of Compromise
- [Package Names] Malicious Python packages involved in the campaign – discordpydebug, dbgpkg, requestsdev
- [File Hashes] SHA1 hashes for malicious package versions – discordpydebug 0.0.1 (d5fb0799ac7aa3bf1a888de502b1c7d3f1e060a8), dbgpkg 1.3.6 (ef839ac2a2dfb08b8650fba66e3fe12d320cab72), requestsdev 1.3.6 (cfb1380b8ee93d9570982a2de675e7e67bb51eb8)
- [Email Addresses] Spoofed developer identity used to publish packages – [email protected]
Read more: https://www.reversinglabs.com/blog/backdoor-implant-discovered-on-pypi-posing-as-debugging-utility
Views: 16