Lazarus hackers group, allegedly supported by the North Korean state, recently targeted developers of malicious software by posting four malicious packages on the Python Package (PYPI) repository.
The specific packages – Pycryptoenv, PycryptoConf, Quasarlib and SwapMEMPOL – have since been removed from the platform, but not before garnering a total of 3269 downloads, with Pycryptoconf leading with 1351 downloads.
According to SUSEY TOMONAGA, a researcher from the Japanese coordination center JPCert, the names of the packets Pycryptoenv and Pycryptoconf closely resemble the popular Python package for encryption, Pycrypto, indicating a targeted attack on developers through Typskwotting.
This discovery comes in the wake of Phylum Research Company recently identifying malicious packages in the NPM registry, also aimed at developers actively working on projects.
Both campaigns share a similar modus operandi – hiding harmful code within a test script, which actually serves as a facade for an encrypted DLL-file using Xor-coding.
The encrypted file then generates two other DLL files named “iConcache.db” and “ntuser.dat”, used to download and execute the malicious ComeBacker program, establishing communication with a remote server for the execution of a Windows file.
Furthermore, JPCert representatives have noted that these malicious packages are linked to a campaign previously identified by Phylum in November 2023, wherein NPM modules related to cryptocurrencies were used to deliver ComeBacker malware.
In light of these developments, Shusay Tomonaga has issued a warning, alerting users to the risks of inattentively downloading malicious software. Developers are advised to exercise caution when installing packages from repositories and other sources to prevent unintentional exposure to harmful software.