The Socket Threat Research Team detected malicious Python packages that establish a tunnel through Gmail, allowing threat actors to exfiltrate data and execute commands remotely. The packages, utilizing hardcoded credentials, have already been removed from the Python Package Index. This attack highlights the risks associated with using legitimate services for malicious purposes. Affected: Python Package Index (PyPI), Gmail, potential victim networks
Keypoints :
- Malicious Python packages were uncovered that create a tunnel via Gmail.
- The threat actors used hardcoded Gmail credentials for unauthorized access.
- The packages have been removed from the Python Package Index (PyPI).
- WebSocket connections were established for command and control operations.
- Data exfiltration and command execution were possible through these packages.
- The use of Gmail makes detection by security systems challenging.
- Previous similar tactics were employed to siphon private keys related to cryptocurrency.
- Recommendations include strict access controls and regular dependency audits to prevent future incidents.
MITRE Techniques :
- Web Service: Bidirectional Communication (T1102.002) β The packages utilized WebSocket connections for command and control, allowing the attacker to receive instructions and exfiltrate data through hidden communications.
Indicator of Compromise :
- Email Address: blockchain[.]bitcoins2020@gmail[.]com
- Email Address: sphacoffin@gmail[.]com
- Email Address: btcchain2@gmail[.]com
- Email Address: hackingbsb@gmail[.]com
- Malicious Python Package: Coffin-Codes-Pro
Full Story: https://socket.dev/blog/using-trusted-protocols-against-you-gmail-as-a-c2-mechanism