In the Pypi catalog (Python Package Index) Revealed 11 packages including malicious code. Before identifying problems in the amount of packages managed to download about 38 thousand times. The identified malicious packages are notable to apply intricate ways to hide communication channels with intruders servers.
- ImportantPackage (6305 downloads), Important-Package (12897) – Install the connection with an external server under the type of connection to Pypi.python.org to provide Shell-access to the system (Reverse Shell) and used to hide the communication channel program Trevorc2 .
- pptest (10001), iPBoards (946) – used DNS as a communication channel to transmit information about the system (in the first package host name, working directory, internal and external IP, in the second – username and host).
- Owlmoon (3285), DiscordSafety (557), Yiffparty (1859) – detected in the Discord service token system and sent to an external host.
- TRFAB (287) – sent an ID to the external host, host name and content / etc / passwd, / etc / hosts, / home.
- 10Cent10 (490) – installed the opposite shell connection with an external host.
- Yandex-Yt (4183) – displayed a message about the compromise system and redirected to a page with additional information on further actions issued through nda.ya.ru (API.ya.cc).
Special attention deserves a method for accessing external hosts used in the ImportantPackage and Important-Package packages that used to hide their activity, the Fastly content delivery network used in the Pypi directory. In fact, the requests were sent to the Pypi.python.org server, but at the same time the server is displayed in the HTTP header of the server, controlled by attacking (sec.forward.io.global.prod.fastly.net). The content delivery network directed a similar request to the attackers server using the TLS connection parameters with Pypi.Python.org.
Pypi infrastructure operation is provided with the use of the content delivery network Fastly , in which the transparent proxy varnish is used for caching typical queries, and TLS certificates are also applied at the CDN level, rather than the end servers, to organize the forwarding of https requests through proxy. Regardless of the target host, requests are sent to a proxy, which determines the desired host on the HOST HTTP header, and the domain names of hosts are tied to the Type for all customers Fastly IP addresses of CDN load balancing.