当前位置:网站首页>[safety notice] pypi official warehouse encounters covd malicious packet poisoning

[safety notice] pypi official warehouse encounters covd malicious packet poisoning

2020-12-07 19:23:32 Tencent Security Emergency Response Center

writing | Tencent onion anti intrusion system for seven nights 、xnianq、 Conan

In recent days, , Tencent onion anti intrusion system detection found PyPI The official warehouse was maliciously uploaded covd Fishing bag , And inform the official warehouse to remove the shelf . Since the domestic open source mirror stations are synchronized with PyPI Official warehouse , So the problem will not only go through the official warehouse , It may also affect the majority of users through various open source mirror stations , Tencent security emergency response center (TSRC) Adhering to the principle of building a safe Ecology ,TSRC In this paper, it is suggested that all open source image stations and organizations and companies that rely on open source mirror stations , Please check and deal with it as soon as possible , Ensure that the malicious library is cleared , Guarantee the safety of users .

0x01 Description of the incident

11 month 16 Number 17:02 The attacker is PyPI The official warehouse uploaded it covd Malicious package , The malicious packet was forged by covid Package name for fishing , The attacker can invade the infected host , And the implementation of planting Trojan horse 、 Command control and other activities , The malicious code exists in 1.0.2/4 In the version .

normal covid The function of the package is to get Johns · Hopkins University and worldometers.info Information on novel coronavirus , Thousands of installations a day . In the context of the new epidemic in the world ,covid The package was mistakenly loaded as because of the wrong package name covd The number of fishing bags will continue to increase .

0x02 Technique analysis

1. Reuse covid Package code

from PyPI Official repository download covid Bao He covd package , Unzip found covd The fishing bag is completely copied covid Code for .

2. Insert malicious code

covd The bag is only in __init__.py Add obfuscated malicious code to , And pass hex The way of coding , Hide the C2 domain name and exec keyword , Very hidden . The malicious code is as follows :

3. User triggered

⽤ The installation is successful covd package , Parallel conduction ⼊, namely import covd when , Will trigger __init__.py Confused malicious code in , The function of malicious code is from ⽂ Pieces of C2 Server remote load Python⽊⻢ And memory hold ⾏, After the malicious code is obfuscated, it is shown in the figure below .

4. function Python Remote control Trojan

from ⽂ Pieces of C2 The server (http://a.sababa.website/get ) Loading remote control ⽊⻢ The contents are shown below , nucleus ⼼ The function is command execution ⾏.

⽊⻢ Will loop to the command C2 The server ( https://sababa.website/api/ready ) Asking needs to hold on to ⾏ The order of , And execute the order ⾏ The result of the study is as follows json Return to another in the form of ⼀ An order C2 The server (https://sababa.website/api/done ) .

0x03 relevant IoC

domain name :

a.sababa.website

sababa.website

url:

http://a.sababa.website/get

https://sababa.website/api/ready

https://sababa.website/api/done

0x04 The end of the

In recent years, due to the weak control of script language community 、 The low cost of attack has become the disaster area of software supply chain attack , up to now , Tencent onion anti intrusion system has found a number of serious software source poisoning incidents , And inform the industry in advance .

【 Safety notice 】PyPI Official warehouse encounter request Malicious packet poisoning

【 notice 】 Tencent onion anti intrusion system detected a number of malicious Python Poison in the warehouse supply chain

At the same time, we uphold the principle of building a safe ecology , Actively shared with the outside world onion anti intrusion system for the detection of software source poisoning scenarios .

The battle of the source , Constantly upgrading the offensive and defensive confrontation Technology —— Software supply chain attack defense exploration

work out measures to suit local conditions , The water is impermanent , Hackers are more and more secretive , The difficulty of offensive and defensive confrontation has also been continuously upgraded , The only way to keep up with the trend of technology is to keep up with it , Continue to advance , In order to get the first chance in the security attack and defense confrontation .

0x05 Introduction of onion anti intrusion system

Anping onion system is a server security system developed by Tencent (EDR), Support x86 and arm framework , For Tencent million class servers to provide intrusion detection 、 Vulnerability detection 、 Security scanning capabilities such as baseline security 、 Meet safety and compliance requirements , Has been serving QQ、 WeChat 、 Tencent cloud 、 Tencent games and other businesses . The onion team focuses on hacking and defense , Focus on third-party components 、 Infrastructure security such as software sources , Major security risks found will also be synchronized with the official , Welcome interested security team to communicate and cooperate . At the same time, the onion team is working with Tencent cloud , Provide security support for some external enterprises .

Original statement , This article is authorized by the author + Community publication , Unauthorized , Shall not be reproduced .

If there is any infringement , Please contact the yunjia_community@tencent.com Delete .

版权声明
本文为[Tencent Security Emergency Response Center]所创,转载请带上原文链接,感谢
https://chowdera.com/2020/11/20201119031742487e.html