Threat Research

New Malicious PyPI Packages used by Lazarus – JPCERT/CC Eyes

Securonix

Lazarus has released malicious Python packages on PyPI (pycryptoenv, pycryptoconf, quasarlib, swapmempool) to spread malware, likely exploiting typos in package installation. The payload uses a Comebacker loader that decodes and executes a DLL in memory and communicates with a C2 server. #Lazarus #Comebacker #pycryptoenv #pycryptoconf #quasarlib #swapmempool

Keypoints

  • Lazarus released four malicious Python packages to PyPI: pycryptoenv, pycryptoconf, quasarlib, swapmempool.
  • Package names pycryptoenv/pycryptoconf resemble pycrypto to exploit installation typos (typosquatting).
  • The main malware body resides in test.py, which is XOR-encoded DLL data decoded by __init__.py and saved as output.py, then executed.
  • Execution involves Rundll32 to load the DLL (output.py) into memory, e.g., “rundll32 output.py,CalculateSum.”
  • Comebacker uses HTTP POST to C2 servers and receives a Windows executable to run in memory; C2 data includes device IDs and commands.
  • The activity is linked to Lazarus’ broader toolkit across software repositories (including npm), with observed downloads around 300–1,200 times.

MITRE Techniques

  • [T1195] Supply Chain – The attacker released malicious Python packages to PyPI to spread malware. ‘The Python packages confirmed this time are as follows: pycryptoenv, pycryptoconf, quasarlib, swapmempool.’
  • [T1036] Masquerading – Package names pycryptoenv and pycryptoconf are similar to pycrypto, aiming to mislead users during installation. ‘The package names pycryptoenv and pycryptoconf are similar to pycrypto…’
  • [T1027] Obfuscated/Compressed Files and Information – The main malware body is test.py, XOR-encoded as a DLL and decoded/executed. ‘The main body of the malware is a file named test.py. This file itself is not Python but binary data, which is an encoded DLL file.’
  • [T1218] Signed Binary Proxy Execution (Rundll32) – The decoded DLL is executed via Rundll32, e.g., ‘rundll32 output.py,CalculateSum’.
  • [T1055] Process Injection – The decoded data (NTUSER.DAT) is executed in memory as the main body of Comebacker. ‘NTUSER.DAT is encoded, and the decoded data is executed on memory, and this data is the main body of Comebacker.’
  • [T1071.001] Web Protocols – Comebacker communicates with C2 using HTTP POST requests; ‘POST /manage/manage.asp HTTP/1.1 …’
  • [T1105] Ingress Tool Transfer – The server responds with a Windows executable file to be executed, representing payload delivery from C2. ‘the server sends back a Windows executable file…’

Indicators of Compromise

  • [File hash] Malicious PyPI package archives – b4a04b450bb7cae5ea578e79ae9d0f203711c18c3f3a6de9900d2bdfaa4e7f67, c56c94e21913b2df4be293001da84c3bb20badf823ccf5b6a396f5f49df5efff (pycryptoenv-1.0.7.tar.gz and pycryptoenv-1.0.7-py3-none-any.whl)
  • [File hash] PyCryptoconf packages – 956d2ed558e3c6e447e3d4424d6b14e81f74b63762238e84069f9a7610aa2531, 6bba8f488c23a0e0f753ac21cd83ddeac5c4d14b70d4426d7cdeebdf813a1094 (pycryptoconf-1.0.6.tar.gz and pycryptoconf-1.0.6-py3-none-any.whl)
  • [File hash] Quasarlib – 173e6bc33efc7a03da06bf5f8686a89bbed54b6fc8a4263035b7950ed3886179, 3ab6e6fc888e4df602eff1c5bc24f3e976215d1e4a58f963834e5b225a3821f5
  • [File hash] Swapmempool – 60c080a29f58cf861f5e7c7fc5e5bddc7e63dd1db0badc06729d91f65957e9ce, 26437bc68133c2ca09bb56bc011dd1b713f8ee40a2acc2488b102dd037641c6e
  • [File hash] Comebacker – 63fb47c3b4693409ebadf8a5179141af5cf45a46d1e98e5f763ca0d7d64fb17c, e05142f8375070d1ea25ed3a31404ca37b4e1ac88c26832682d8d2f9f4f6d0ae
  • [File hash] Loader – 01c5836655c6a4212676c78ec96c0ac6b778a411e61a2da1f545eba8f784e980, aec915753612bb003330ce7ffc67cfa9d7e3c12310f0ecfd0b7e50abf427989a
  • [URL] C2 endpoints – https://blockchain-newtech.com/download/download.asp, https://chaingrown.com/manage/manage.asp (others: https://fasttet.com/user/agency.asp, http://91.206.178.125/upload/upload.asp)
  • [Domain] C2 domains – chaingrown.com, blockchain-newtech.com, fasttet.com
  • [IP] 91.206.178.125 – observed as a C2 endpoint
  • [Filename] Output/Decoded artifacts – test.py, output.py, NTUSER.DAT, IconCache.db
  • [PDB] Debug artifacts – workspaceCBGLoadernpmLoaderDllx64ReleasenpmLoaderDll.pdb, workspaceCBGWindowsLoadernpmLoaderDllx64ReleasenpmLoaderDll.pdb

Read more: https://blogs.jpcert.or.jp/en/2024/02/lazarus_pypi.html