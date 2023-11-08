getty images

Highly aggressive malware targeting software developers is once again circulating in trojanized code libraries, the latest of which has been downloaded thousands of times over the past eight months, researchers said Wednesday.

Security firm Checkmarx reported that since January, eight different developer tools have included hidden payloads with various nefarious capabilities. The most recent was released last month under the name “Pyobfgood”. Like the seven packages before it, pyobfgood was presented as a legitimate obfuscation tool that developers could use to prevent reverse engineering and tampering with their code. Once executed, it installed a payload, giving the attacker almost complete control of the developer’s machine. Capabilities include:

Extract detailed host information

Steal Passwords from Chrome Web Browser

set up a keylogger

Download files from the victim’s system

Capture screenshots and record both screen and audio

Disable the computer by increasing CPU usage, placing a batch script in the startup directory to shut down the PC, or forcing a BSOD error with a Python script.

Possibly encrypt files for ransom

Disable Windows Defender and Task Manager

Execute any command on the compromised host

In total, pyobfgood and the previous seven tools were installed 2,348 times. They targeted developers using the Python programming language. As obfuscators, tools targeted Python developers seeking to keep their code secret because it contained hidden capabilities, trade secrets, or otherwise sensitive functions. The malicious payloads varied from device to device, but they were all notable for their level of intrusiveness.

“The various packages we examined exhibited a variety of malicious behaviors, some of which resembled the behaviors found in the ‘pyobfgood’ package,” Checkmark security researcher Yehuda Gelb wrote in an email. “However, their functionalities are not completely identical. “Share many similarities, such as the ability to download additional malware from an external source and steal data.”

All eight tools used the string “pyobf” as the first five characters in an attempt to mimic real obfuscator tools like pyobf2 and pyobfuscator. The other seven packages were:

pyobftoex

pybfsfile

Pyobfexcute

pyobfpremium

pyobflight

Pyobfdvans

pyobfuse

While Checkmarks focused primarily on pyobfgood, the company provided a release timeline for all eight of them.

Enlarge / A timeline showing the releases of all eight malicious obfuscation tools.

checkmarks

Pyobfgood installed bot functionality that works with Discord servers identified with the string:

MTE2NTc2MDM5MjY5NDM1NDA2MA.GRSNK7.OHxJIpJoZxopWpFS3zy5v2g7k2vyiufQ183Lo

There was no sign of any disturbance on the infected computer. However, behind the scenes, the malicious payload was not only infiltrating some of the developer’s most private moments, but at the same time silently mocking the developer in source code comments. Checkmarks explained:

The Discord bot includes a specific command to control the computer’s camera. It achieves this by carefully downloading a zip file from a remote server, extracting its contents and running an application called WebCamImageSave.exe. This allows the bot to secretly take photos using a webcam. The resulting image is sent back to the Discord channel after deleting the downloaded files, leaving no evidence of its presence. Enlarge the source code/display various comments. Among them, “Stop listening to background music.” [incomplete], checkmarks Amidst these malicious actions, the bot’s malicious humor emerges through messages that mock the imminent destruction of the compromised machine. “Your computer is about to burn, good luck :)” and “Your computer is about to die, good luck getting it back :)” But hey, at least these messages have a smiley at the end. These messages expose not only the malicious intent but also the audacity of the attackers. Expand/extend the source code with comments. checkmarks Increase/enlarge source code comments. checkmarks

Downloads of the package came primarily from the US (62 percent), followed by China (12 percent) and Russia (6 percent). “This is because developers engaged in code obfuscation are potentially dealing with valuable and sensitive information, and therefore, for a hacker, this is a goal worth pursuing,” the Checkmarks researchers wrote.

Advertisement This is by no means the first time that malware has been detected in open source software that mimics the names of real packages. One of the first documented cases came in 2016, when a college student uploaded Sketch scripts to RubyGems, PPPoE, and NPM, which are community websites for developers of the Python, Ruby, and JavaScript programming languages, respectively. A phone-home feature in the student’s script revealed that the fraudulent code was executed more than 45,000 times on more than 17,000 different domains, and more than half of the time his code was given all-powerful administrative rights. Two of the affected domains ended in .mil, an indication that people inside the US military had run his script. Shortly after this proof-of-concept demonstrated the effectiveness of the trick, real-world attackers adopted this technique in a series of malicious open source submissions that continues to this day. The never-ending stream of attacks should serve as a cautionary tale that underlines the importance of carefully testing a package before allowing it to run.

Those who want to check if they have been targeted can search their machines for the presence of any of the eight tool names, the unique string of the Discord server, and the URL hxxps.[:]//Transfer[.]sh/get/wDK3Q8WOA9/start[.]PE and HXPS[:]//world Wide Web[.]nirsoft[.]net/utils/webcamimagesave.zip.

