FlagThis - #python

Attackers are increasingly turning to trusted services like Gmail and Google APIs to create stealthy command-and-control (C2) channels. This tactic allows them to mask malicious activities within legitimate network traffic, making detection and mitigation significantly harder. By leveraging platforms like Gmail and Google Drive, threat actors can embed their communications within encrypted channels provided by reputable services, bypassing many traditional security measures. These communications are encrypted by Gmail’s TLS, further complicating detection efforts.

A recent investigation by Socket's Threat Research Team uncovered a campaign using malicious Python packages to establish covert tunnels via Gmail’s SMTP protocol, enabling attackers to exfiltrate data and execute remote commands undetected. Seven malicious PyPI packages, operating under the "Coffin Codes" theme, were found abusing Gmail's SMTP servers and WebSockets for data exfiltration and remote command execution. These packages, once installed, establish an encrypted connection to Gmail’s SMTP server using hardcoded credentials, sending signals and critical information to attacker-controlled email addresses.

The identified packages include Coffin-Codes-Pro, Coffin-Codes-NET2, Coffin-Codes-NET, Coffin-Codes-2022, Coffin2022, Coffin-Grave, and cfc-bsb. While the packages have been removed from PyPI, one of them was downloaded over 18,000 times before removal. The most advanced variants of the packages also establish outbound WebSocket connections, enabling attackers to issue commands, transfer files, and potentially gain deeper access into the victim's network. This highlights the ongoing risks posed by supply chain attacks and the exploitation of trusted cloud services.


References :

• securityonline.info: Malicious Python Packages Exploited Gmail as Covert Command-and-Control Channels
• BleepingComputer: Malicious PyPI packages abuse Gmail, websockets to hijack systems
• bsky.app: Seven malicious PyPi packages were found using Gmail's SMTP servers and WebSockets for data exfiltration and remote command execution.
• bsky.app: Socket Security has spotted seven malicious PyPI packages that use Gmail SMTP servers as tunnels to infected systems
• socket.dev: Packages use Gmail, making these attempts less likely to be flagged by firewalls and endpoint detection systems since SMTP is commonly treated as legitimate traffic.
• securityonline.info: Malicious Python Packages Exploited Gmail as Covert Command-and-Control Channels
• Cyber Security News: Seven Malicious Packages Exploit Gmail SMTP to Execute Harmful Commands
• gbhackers.com: Seven Malicious Packages Exploit Gmail SMTP to Run Harmful Commands
• Virus Bulletin: Socket’s Threat Research Team uncovered malicious Python packages designed to create a tunnel via Gmail. These seven packages: use Gmail, making these attempts less likely to be flagged by firewalls and endpoint detection systems since SMTP is commonly treated as legitimate traffic.
• gbhackers.com: Seven Malicious Packages Exploit Gmail SMTP to Run Harmful Commands
• cyberpress.org: Seven Malicious Packages Exploit Gmail SMTP to Execute Harmful Commands
• socket.dev: Using Trusted Protocols Against You: Gmail as a C2 Mechanism
• Secure Bulletin: In the ever-evolving landscape of cybersecurity, attackers are increasingly exploiting trusted services to establish covert command-and-control (C2) channels.
• securebulletin.com: Hijacking Trust: how Gmail and Google APIs are being weaponized for stealthy C2 channels
• bsky.app: Socket Security has spotted seven malicious PyPI packages that use Gmail SMTP servers as tunnels to infected systems
• Davey Winder: Gmail Warning As Data-Stealing Hacker Tunnel Confirmed
• Cyber Security News: 7 Malicious PyPI Packages Abuse Gmail’s SMTP Protocol to Execute Malicious Commands

Classification:

• HashTags: #C2 #Gmail #GoogleAPIs
• Company: Google
• Target: Internal dashboards, APIs, admin panels
• Product: Gmail, Google APIs
• Feature: C2 channels
• Type: Malware
• Severity: Major

A malicious Python package named 'set-utils' has been discovered on the Python Package Index (PyPI) repository. This package is designed to steal Ethereum private keys by exploiting commonly used account creation functions. Disguised as a utility for Python sets, the package mimics popular libraries, tricking developers into installing it. Since its appearance, 'set-utils' has been downloaded over 1,000 times, posing a significant threat to Ethereum users and developers, particularly those working with Python-based wallet management libraries. The Python security team has removed the malicious package from PyPI.

The 'set-utils' package operates by silently modifying standard Ethereum wallet creation functions. The private keys are exfiltrated within blockchain transactions via the Polygon RPC endpoint to resist traditional detection efforts. The stolen keys are encrypted using an attacker-controlled RSA public key before transmission, making detection challenging. Even if the package is uninstalled, any Ethereum wallets created while it was active remain compromised. To mitigate these risks, developers should employ regular dependency audits and automated scanning tools to detect malicious behaviors in third-party packages.


References :

• The Hacker News: Cybersecurity researchers have discovered a malicious Python package on the Python Package Index (PyPI) repository that's equipped to steal a victim's Ethereum private keys by impersonating popular libraries.
• Developer Tech News: A malicious package designed to steal private keys for Ethereum wallets has been uncovered within the Python Package Index (PyPI). According to Socket, this package – named ‘set-utils’ – masquerades as a utility for Python sets and has been actively targeting developers.
• Cyber Security News: PyPI Malware Exploits Developers to Hijack Ethereum Wallets
• gbhackers.com: New PyPI Malware Targets Developers to Steal Ethereum Wallets
• www.cysecurity.news: Researchers at have exposed a malicious PyPi (Python Package Index package), set-utils, that steals Ethereum private keys by abusing a “commonly used account creation functions.â€�

Classification:

• HashTags: #Ethereum #PyPI #Malware
• Company: Python
• Target: Ethereum Developers
• Product: set-utils
• Feature: Private Key Theft
• Malware: set-utils
• Type: Malware
• Severity: Major