Malicious Python Package Relies on Steganography to Download Malware
The malicious package downloads an image from the Web, then uses a steganography module to extract and execute the code to download malware.
November 9, 2022
Check Point Research has detected a malicious open source code package that uses steganography to hide malicious code inside image files.
The malicious package was available on PyPI, a package index widely used by Python developers. After being notified of it, PyPI's maintainers have removed the malicious package.
The malicious package, apicolor, looks like one of many development packages available on PyPI. The header states the package is a "core lib for REST API." The package installation script for apicolor has instructions to download additional packages (requests and judyb), along with a picture from the Web. The script then uses the steganography capabilities in judyb to uncover and execute the malicious code hidden inside the image file. The malicious code downloads malware from the Web and installs it on the user's machine.
The impact seems minimal — Check Point Research found only three GitHub users including apicolor and judyb in their code, and a little over 80 projects containing the malicious packages. The infection method relies on people stumbling across these open source projects and installing them on their machines, "not knowing it brings in a malicious package import," the team said.
The more important takeaway? "These findings reflect careful planning and thought by a threat actor, who proves that obfuscation techniques on PyPI have evolved," Check Point Research wrote on the team's blog.
Attackers are no longer just relying on the strategy to copy and rename existing packages and hide malicious code inside. Instead, they are targeting certain type of users — often those working from home, and those using corporate machines for side projects, according to the research team.
About the Author(s)
You May Also Like
Key Findings from the State of AppSec Report 2024
May 7, 2024Is AI Identifying Threats to Your Network?
May 14, 2024Where and Why Threat Intelligence Makes Sense for Your Enterprise Security Strategy
May 15, 2024Safeguarding Political Campaigns: Defending Against Mass Phishing Attacks
May 16, 2024Why Effective Asset Management is Critical to Enterprise Cybersecurity
May 21, 2024
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024