Cobalt Strike Dropped by Malicious Code Repositories

Open source code repositories are critical part of the software supply chain that use to build applications which is an attractive target for adversaries seeking to distribute malware.

The latest is a malicious package for distributing Cobalt Strike on Windows, macOS, and Linux systems, which was uploaded to the widely used PyPI registry for Python application developers. The Pymafka package has a name that’s very similar to PyKafka, a popular Apache Kafka client for Python

Advertisements

More than 300 users were tricked into downloading the malicious package, thinking it was the legitimate code, before researchers discovered the issue and reported it to the PyPI registry. It has since been removed, but applications that incorporated the malicious script remain a threat.

The incident marks the second typo-squatting incident involving the Apache Kafka project. Though the malicious package on PyPI had the same name as the legitimate project, it was designed to steal IP addresses, user names, and other information for fingerprinting devices on which the package was installed.

Pymafka as designed to detect the platform on which it is installed and then embed an OS-appropriate version of a Cobalt Strike beacon on the device.

The executables being downloaded from an IP address associated with cloud-hosting provider Vultr. Once installed on a system, the beacon attempts to communicate with a China-based IP address assigned to Alibaba.

The pymafka incident is the latest in a growing number of security incidents involving PyPI and other public repositories. Developers are blindly trusting repositories and installing packages from these sources, assuming they are secure