Evidence Leads to Lazarus as the VMConnect Supply Chain Attack Continues

HawkEye SOC Packages
Recently, Sonatype and Reversing Labs analyzed the fraudulent PyPI package ‘VMConnect,’ developed to imitate the authentic VMware vSphere connector module closely, ‘vConnector,’ but actually contains a malicious code.

Background:

24 malicious packages imitating three well-known open source Python tools were discovered by ReversingLabs researchers. These tools are vConnector, a wrapper module for the pyVmomi VMware vSphere bindings, eth-tester, a set of tools for testing Ethereum-based applications, and databases, a tool that provides asyncro support for a number of databases. The campaign started on or about July 28, 2023, when the first of the malicious packages was released, according to the research team’s observations. Even now, new malicious PyPI packages are still being published every day as older ones are found and taken down.

Analysis of the campaign:

The VMConnect campaign is the most recent instance of malware spreading through open source modules, providing additional evidence that security checks of open source code repositories may not catch these sophisticated attacks. The __init__.py file for VMConnect contains code that may start a process, decode data with the Base64 method, and transform binary data to a string representation—behaviors frequently employed in obfuscation. The combination of actions led to the first identification and inspired more research. The existence of malicious functionality inside the package was established by an in-depth review of the __init__.py file. That process began with the Base64-encoded string, which was then decoded and carried out by a different process. Execution-of-Base64-encoded-string

Execution of Base64 encoded string inside the __init__.py file (Source: Reversing labs)

An endless execution loop that contacts the command and control (C2) server and tries to download a new Base64-encoded string with more commands is present in the decoded and executed Base64 string. If it is successful, the code executes and the loop is repeated. After a predetermined sleep time, the infected host queries the C2 server for new commands. A developer going by Hushki Manager published the VMConnect package on July 28th; this PyPI account was created only for the purpose of publishing the VMConnect package. Despite this, the actor made a big effort to make the look seem genuine. For instance, it contains a description that appears to be real and matches the functionality offered by the program. The attackers in this campaign, however, used a more systematic strategy. The attackers correctly placed links to a Github source code repository that was created by the same author on the same day in addition to utilizing the description from the real packages. The Github project page appears legitimate; it has multiple commits, a description that matches the PyPI page, and no files that stand out as immediately suspect. malicious-VMConnect-project

Github description of the malicious VMConnect project.

legitimate-VConnector-project

Github description of the legitimate vConnector project.

Attribution:

The ReversingLabs research team analyzed the malware samples found as part of this expanded VMConnect campaign in an effort to better understand the campaign’s origins and to connect it to other well-known malware efforts. During the investigation, the team discovered hints that led to the Lazarus outfit, a North Korean advanced persistent threat (APT) outfit that has been connected to a number of sophisticated operations. Researchers uncovered a package called py_QRcode that contains a builder.py file with malicious functionality that is quite similar to that found in the VMConnect package by experimenting with various threat hunting YARA rules based on the samples gathered in the most recent campaign. decryption-of-payload

Figures 6 and 7 show highlighted similarities in the code responsible for the decryption of payload, which, in both cases, is executed with a call to subprocess the Popen function.

Lesson Learned:

The lesson here is that release packages can—and often do—contain harmful functionality that isn’t seen in open source repositories and can’t, therefore, be found using manual source code reviews or source code scanning alone. To protect themselves from supply chain attacks like this VMConnect PyPI campaign, these teams want a way to identify suspicious material in the final release packages themselves.

IOCs:

45.61.139.219 ethertestnet.pro deliworkshopexpress.xyz packages-api.test tableditermanaging.pro 45.61.136.133 b0095f149951241c6e11e0d1be1f74e8cdfbdbb2 2ff1b3aa2dbff6d87447b250a8d19241e7853ab0 67226da423ab4a2c97b2d008dec45280aaa5fdf5 146942c5dbaba55be174b1bfb127410e332caa03 0eb79e80c51c0e14be3620dfb237f7b53160a292 bc2d48d6d9eeaf0b29625683942e90dfd2b75723 9a276ca3678898f5596166416f7e709a2064e95c 658605988c7afd9adf437fb64ff682cb4190f144 5f03b73d56528ecbc3f24b8e7daec6b3d3370834 19684554e4905bb3cf354a5d5a0f00d696f38926 e531121b137182453f0d120be860ad882d2dc0a7 b1f2d50be0aca0672475488d77c6f71a1b0633f8 de4e9efeace6ff76dc00a166dca152dc3021d799 664f0913a5952eeb77373f83e090fab7e94aa45e bd7ba47f730c2bc33afa67a39d9cbe3768f62426 0dc723e77a5b97183a90eaecb62c9b7341e483ed 6bf76b01bd17f370cd3f9947135bf250597d1ac1 497df2fd2dba324be04cc57f50a3170b532aa70c d404a55f1f7fbcd8b3156a84ebcf97c57ba24b95 9588affaf9d85e2141b9d76b914d9f89a8292574 dbc14c3ac0528a8aeb6edba8a0b2792dab131102 0b7b4444f820e9990dfeb5e2080321b5f25a9785 e6494b9a91862191556d77022e5577ddbe749ef4 a1b039f88c385f5c5eec2ef1701251c7341b1fcd 321363f11464208ee24e56a700ad5d26154df4bd 5e026885bcf4b67993aefa4e992153f6d81c11da 049cc8d88a086c8fc69b51d76b6c0c4c2a66fa08 bbb1e2ac1d243b8db922a23821de570702140145 fdea182ffe7c04c28f28f88ceb9624732bb36bdc e3545b2c53c2cb8f012f0badc1bf452badfee341 859f5b0af717fca9f890dcba0b87ac63be469033 e063b210b50ca1426da45afa430d87c53b2ef5d2 39e9859f0cf85a0c8361e042e8316d4e185d1cfb b1880340818a1feda156abd272255bcc018f8bef 2c72edf29d5bca22525d612c94f1ee323c47be0c 9b8eefa1d7ee348c2b1b4c350028df5c2707c3d8 aeeb445216a205abd770546dfa8d03f8b94515a1 89c05ecd388c5f168704c5a8e1d37f72a7f0f0f4

Ready to get started?

Contact us to arrange a half day
Managed SOC and XDR workshop in Dubai

Ready to get started?

Contact us to arrange a half day Managed SOC and XDR workshop in Dubai

© 2024 HawkEye – Managed CSOC and XDR powered by DTS Solution. All Rights Reserved.
This is a staging environment